As a example, I have a search that calculates "Unique Users per Application" and this can be constrained to a particular timeframe with either a timerange picker or earliest/latest fields.
| stats dc(UserId) AS UserLogonCount BY ApplicationId | table ApplicationId UserLogonCount
What I would like to do is extend this to essentially be a timechart but in a table format that shows 1 day, 1 week, 1 month values etc.
The only way I can think of is to append multiple searches that use earliest/latest to define the different time periods, however this seen rather inefficient to me.
What other options do I have?
↧