I have an event for a user that joins the system and an even for a user that leaves that system.
I want to create a timechart that will show how many users I had in my system along a time window.
This is for example how I timechart the join events:
sourcetype="tracker logs" join = join | timechart dc(peerId)
and similiarly for leave: sourcetype="tracker logs" join = leave | timechart dc(peerId)
But how do I substract those who leave from those who joined?
Try something like this
sourcetype="tracker logs" join="join" OR join="leave" | eval users=if(join="join",1,-1) | accum users| timechart max(users)
Looks like this works:
sourcetype="tracker logs" join=join OR join=leave | eval users=if(match(join,"join"),1,-1) | accum users| timechart max(users)
Getting closer, I fixed your statement to:
sourcetype="tracker logs" join=join OR join=leave | eval users=if(join=="join",1,-1) | accum users| timechart max(users)
but looks like it doesn't match the join field to the value join
the values that the join field gets are either "join":true or "leave":true