Hello everyone,
In my query if my field value(Current_Day,Current_Day_Actual,Current_Day_Average,DifferenceFromAverage) is zero then i am not getting the proper output.
For ex:
This is the result from my query
Hour_Of_Day Current_Day Current_Day_Actual Current_Day_Average DifferenceFromAverage
01 Wed 4 2 2
03 Wed 10 5 5
04 Wed 4 3 1
05 Wed 32 23 9
06 Wed 68 130 -62
For "hour_of_day"=01 i am not getting the output, could any one help me in this.
this the query:
index=auto_prod_okta eventType="user.authentication.sso" "target{}.alternateId"=SmartCash earliest=-4w
| rename target{}.alternateId AS "id"
| eval Hour_Of_Day = strftime(_time, "%H")
| eval Week_Day = strftime(_time,"%a")
| eval Today=strftime(now(),"%a")
| eval Current_Day=if(Week_Day=Today,Today,null())
| stats count(id) AS "Total_Login" by Hour_Of_Day,Current_Day
| eval DailyLogins=(Total_Login/4)
| stats values(DailyLogins) AS "Current_Day_Average" by Hour_Of_Day,Current_Day
| eval Current_Day_Average=ceil(Current_Day_Average)
| join Hour_Of_Day
[ search index=auto_prod_okta eventType="user.authentication.sso"
"target{}.alternateId"=SmartCash earliest=@d
| rename target{}.alternateId AS "id"
| eval Hour_Of_Day = strftime(_time, "%H")
| eval time_date = strftime(_time,"%w")
| stats count(id) AS "Current_Day_Actual" by Hour_Of_Day, time_date
| chart values(Current_Day_Actual) AS Current_Day_Actual by Hour_Of_Day
| table Hour_Of_Day Current_Day_Actual]
| eval DifferenceFromAverage=(Current_Day_Actual-Current_Day_Average)
| table Hour_Of_Day,Current_Day,Current_Day_Actual,Current_Day_Average,DifferenceFromAverage
↧