My query is something like below
index = "A" | table x | stats dc(x) as total | appendcols [search index = "B" earliest="d" latest="@now" | table y | stats dc (y) as active ] | eval ratio = active/total
index "B" consists of real time events and we get distinct user counts in variable "active".
index "A" consists of total user count
I want to plot ratio over a period of time (span = 1h)
Tried few queries but couldn't get to the result
↧