I have a query like following:
_sourceName = abc
| parse "MsgId = *" as msgId
| timeslice 1h
| count by msgId, _timeslice
| transpose row _timeslice column msgId
I know the count for each msg id will be either 1,2 or 3. I want to write this query in a way that I get the count of msgId per hour that appeared for 1,2, or 3 times. Row should be timeslice and column should be 1,2,3. This is may be possible with a subquery.
can any one please help?
Please sign in to leave a comment.