I am logging events of my application by session. i.e whenever the app is started, I generate a new SessionId and then generate events. Two of the events generated are "Startup" and "Shutdown". Each event has a StartTime field, too.
I am trying to write a search that will look at all sessions and show me how many sessions did not have a Shutdown entry over time. Essentially letting me see how many crashes I'm getting over time.
I've come close with this:
index=foo source=barDB | WHERE EventName="Shutdown" OR EventName="Startup" | BUCKET SessionId |STATS count BY SessionID
this gives me a list with a sessionID column and a count column containing either 1 or a 2. I now want to chart the ones that have a 1 over time.
Any ideas?
↧