Hi there,
I have events which indicate opening and closing of an event. I want to see the amount of open events (that did not get a closing event by that time) at a given time.
Snipped from my search so far:
... | stats earliest(_time) as _time by processid, service, location | eval combkey = service." - ".processid | eval openclosed = if(location="o","close","open") | timechart...
I just have no idea how to achieve this.
Any idea is welcome :-)
thanks
lordadmiral
↧