I'm trying to rectify a search where the chart should represent a Trend but is actually just adding the last active user and the current active user and showing it in the Trend Column :
eg :
2016-08-10 11:10:00 17 17
2016-08-10 11:15:00 20 37
2016-08-10 11:20:00 0 37
search :
index="X" sourcetype="Y" DOMAIN="ACTIVE_USER" | lookup host_lookup HOSTNAME OUTPUT SYSTEM | dedup HOSTNAME,ACTIVE_USER | where ACTIVE_USER!="NO_USER" | timechart span=5m dc(ACTIVE_USER) as "Active User Count" | addtotals | streamstats sum(Total) as "Trend" | fields - Total
↧