Is there a way to achieve aggregations with different split by conditions without losing fields. In Splunk you would do this with eventstats.
For example, if I want to find a peak rate of requests/minute of X, but want to find the requests over 97th percentile of peak over the whole time range, I would need the following two:
- To get the peak request rate I would need something like
| timeslice 1m
| count as Count by _timeslice, count
| max(Count) as Peak by count
next calculate percentage value greater than 97…
In Splunk you would use eventstats to do this. How can this be achieved here?