My search calculate the number of events of a field per hour per day.
In my chart result I only want to see the max of each day
mysearch | timechart count span=1h as nb | eval Day=strftime(_time,"%Y/%m/%d") | dedup nb | top 1 nb by Day | sort + Day | table Day nb
The result is like that
Day nb
2019-08-26 300
2019-08-27 252
2019-08-28 354
2019-08-29 458
but i would like to see the time slot in my result, like that
Day nb
2019-08-26 10:00:00 300
2019-08-27 15:00:00 252
2019-08-28 13:00:00 354
2019-08-29 11:00:00 458
How to do that ?
Thanks
↧