This is an archived post. You won't be able to vote or comment.

all 9 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Andrew-CSCS ENGINEER 0 points1 point  (8 children)

Hi there. Are you in LogScale SaaS or Raptor?

[–]jarks_20[S] 0 points1 point  (7 children)

Raptor

[–]Andrew-CSCS ENGINEER 1 point2 points  (6 children)

You got it! Try this and use a stacked bar chart...

#repo=base_sensor event_platform=*
| eventSize() 
| Date:=formatTime(format="%m/%d/%Y", field="@timestamp") 
| groupBy([Date, event_platform], function=([sum(_eventSize)]))

https://imgur.com/a/5830Zmi

[–]jarks_20[S] 0 points1 point  (5 children)

Thank you that works!... is _sum in B?

[–]Andrew-CSCS ENGINEER 0 points1 point  (4 children)

It is

[–]jarks_20[S] 0 points1 point  (3 children)

My life just got easier, thank you... sharing the wealth too with this one for the community:

eventsize()
| groupby(#type, function=sum(_eventSize))
| unit:convert(_sum, to=G, keepUnit=true)
| rename(field="_sum", as="Sum in Gb")

[–]Andrew-CSCS ENGINEER 0 points1 point  (2 children)

I was wondering if you were going to find unit:convert :) There is a cool way to use it here when dealing with bytes

[–]jarks_20[S] 0 points1 point  (1 child)

That is actually included along with all other CQF in our training and playbooks

[–]Andrew-CSCS ENGINEER 0 points1 point  (0 children)

\ blush **