Is there a way to achieve different aggregations with different split by clauses without losing fields. In Splunk you would do this with eventstats rather than stats.
For example, if I want to find a peak rate of requests/minute of X, but want to find the 97th percentile of requests over the whole time range, I would need the following two
1. To get the peak request rate I would need something like
| timeslice 1m
| count as Count by _timeslice, X
| max(Count) as Peak by X
2. To get the percentile I would need
| pct(Y,97) as PCT97 by X
but 2 cannot be done after 1, as Y is no longer available and 1 cannot be done after 2 as _messagetime is no longer available.
In Splunk you would use eventstats to do this. How is this done with Sumo?
Please sign in to leave a comment.