How can timeslace be used with boolean (0 or 1) instead of aggregate count?



  • Avatar
    Piotr Woch

    Hi Behrang!

    Please try the following query:


        | parse "login_status=*" as login_status
        | if(login_status="success",1,0) as was_success
        | timeslice 1d
        | max(was_success) by _timeslice

    Please let me know if this has addressed your question completely.

    Thank you!

    Best regards,

    Piotr Woch

    Comment actions Permalink
  • Avatar
    Behrang Saeedzadeh

    Thanks Piotr! That worked like a charm.

    When I add this search configured for the past 30 days to my dashboard, looks like Sumo always runs the search and it could take somewhere between 2 to 5 minutes for the graph to be completely rendered. As in my case, the logs for a given day won't change over time (it only changes during that day), the graph could technically cache the y axis values for the past days that it has already calculated and only recalculate the y axis value for the days that haven't been processed/rendered before.

    Is there a way to optimize this query? For example, can Sumo skip processing events for a given day as soon as it encounters a match for that day, as that implies "true"/"1"?



    Comment actions Permalink

Please sign in to leave a comment.