so I need to filter the result by using count_distinct(jname) because "jname" is not unique
my issue ... is that I need to get the ratio of user1 to user2 count
| json auto
| where %"event.headers.app-id" != null and role = "user1" or role = "user2"
| timeslice 15m
| count_distinct(jname) as cnt by _timeslice, role
| transpose row _timeslice column role
|1||06/27/2019 9:00:00 AM -0700||1||7|
|2||06/27/2019 9:15:00 AM -0700||3||7|
Please sign in to leave a comment.