This query works:
| parse "Id=*;" as marketId
| timeslice 1s
| count(marketId) as c, count_distinct(marketId) as d, count_distinct(marketId) by _timeslice
but I want a field calculated as: (c-d) as duplicates
I can't do the subtraction inline so I extracted the 2 fields and created the duplicates field.
| count(marketId) as c, count_distinct(marketId) as cd
| (c-cd) as duplicate
but now I'm not able to use timeslice.
I also tried transpose without success
Please sign in to leave a comment.