11

I'm trying to do a query that will first aggregate by field count and after by bin(1h) for example I would like to get the result like:

# Date                     Field Count
1 2019-01-01T10:00:00.000Z A     123
2 2019-01-01T11:00:00.000Z A     456
3 2019-01-01T10:00:00.000Z B     567
4 2019-01-01T11:00:00.000Z B     789

Not sure if it's possible though, the query should be something like:

fields Field
| stats count() by Field by bin(1h)

Any ideas how to achieve this?

Orest
  • 6,548
  • 10
  • 54
  • 84

3 Answers3

10

Is this what you need?

fields Field | stats count() by Field, bin(1h)
Dejan Peretin
  • 10,891
  • 1
  • 45
  • 54
  • 3
    Hi, this solution does not allow to see line charts. My use case is to create a graph that displays one line per TaskId with average cpu and memory data. Something like this but it doesn't work : stats avg(MemoryUtilized) by TaskId, bin(5m) Do you think it's doable ? Thanks – Hugo Mallet Feb 25 '22 at 10:19
  • Hey @HugoMallet, were you able to figure it out ? – Raghav May 02 '22 at 10:09
  • No, I haven't ☹️ – Hugo Mallet May 05 '22 at 07:02
1

If you want to create a line chart, you can do it by separately counting each value that your field could take.

fields
    Field = 'A' as is_A,
    Field = 'B' as is_B
| stats sum(is_A) as A, sum(is_B) as B by bin(1hour)

This solution requires your query to include a string literal of each value ('A' and 'B' in OP's example). It works as long as you know what those possible values are.

This might be what Hugo Mallet was looking for, except the avg() function won't work here so he'd have to calculate the average by dividing by a total

John Skiles Skinner
  • 1,611
  • 1
  • 8
  • 21
-1

Not able to group by a certain field and create visualizations.

fields Field
| stats count() by Field, bin(1h)

Keep getting this message

No visualization available. Try this to get started:
stats count() by bin(30s)
Sabarish
  • 862
  • 1
  • 14
  • 23