I have a query that shows how many times an event has occurred on a given day. Borrowing from the example in timeslice, let's pretend it looks like this:
| parse "login_status=*" as login_status
| where login_status="success"
| timeslice 1d
| count by _timeslice
Instead of showing the number of "success" login_status occurrences, I just want to know if such an event has occurred in a given day or not, so instead of count, I want to either display 0 or 1.
How can I modify this query to do that?
Please sign in to leave a comment.