1 comment

  • Avatar
    Caleb Fogleman
    Hi Robert, To find this data, for the past 24 hours, I would use the following query: *| timeslice 1s| count by _timeslice, _collector| avg(_count) as eps by _collector| sort by eps Of course, you can swap _collector out for _source, _sourceCategory, etc., depending on how you'd like your breakdown. If you run this query over 24 hours, it should provide results almost immediately, then refine them as the query continues to execute. I hope this helps! Caleb F.
    Comment actions Permalink

Please sign in to leave a comment.