I want to find/graph the count of (dc(X) as dc_X_count by Y) by day.
In other words, I have some events in a basic search with two id's X and Y. There are 1 or more X values per Y. The max number of X/Y is reasonable (like say < 50/day).
But what I want to know is how many of each number of X/Y's is happening per day. Example use case, X is an account id, Y is a device id. We can have multiple accounts logging into the same device. So I want to find the count of #ofaccounts/device each day (eg 100 devices have 1 account logging in, 50 devices have 2 accounts logging in, etc).
to get the initial pass of data it looks like
search for login events containing accountid(X), deviceid(Y) ... | timechart span=1d dc(accountid) as accounts_count by deviceid
but then I don't know how to get a count of those results by day.
↧