I'm parsing a number out of my logs. The number is constrained by 0 <= x <=1. I would like to count the number of times the number is 0, 1, and not (0 or 1). Here's what I've tried so far for just the 1 or 0 case.
| parse "myNum = * " as zero
| where zero = 0
| parse "myNum = * " as one
| where one = 1
| timeslice 15m
| count(zero) as zeroCount, count(one) as oneCount by _timeslice
This doesn't work because I can't parse the same field twice? How can I go about this?
Please sign in to leave a comment.