We can access our daily data stored in separated collections and virtual indexes using a pattern. Let's count the events in each collection and sort by the collection size:
Use this expression:
index=clicks_2015_* | stats count by index | sort – count
We can see the trend: users visit shops during working days more often (the 1st of February is Sunday, the 5th is Thursday) so we get more clicks from them:
Next is the query related to metadata. We don't query the exact index; we use a wildcard to query several indexes at once:
index=clicks_2015_*
Let's count how many events happen during observed days in each shop:
index=clicks_2015_* | stats count by index, shop_id | sort +index, -count
We sort by index name (the lexicographical order will be used) and by the count of events in shops in descending order.
Let's add some formatting to our report:
index=clicks_2015_* | eval day = strftime(timestamp, "%Y.%m.%d") | stats count by shop_id, day | sort +day, -count | fields day, shop_id, count
We want to see the count of clicks in the shops by day:
day
and formatted with a timestamp field: eval day = strftime(timestamp, "%Y.%m.%d")
stats count by shop_id, day
sort +day, -count
: