I am displaying the number of bytes out per hour for a single user. When I attempt to graph this for the last 24 hours, the Visualization keeps listing the x-axis (each hour) in numerical order.
e.g.: I run the query at 1500 (3PM), I expect data from yesterday 1500 - today 1500
15, 16, 17, ... 24, 1, 2.... 14, 15
But what I keep getting instead is
0, 1, 10, 11, 12...19, 2, 20, 21...4, 5, 6, 7
How can I get the data to display in the chronological order (oldest to newest)?
I have tried the following sorts to no avail:
sort _time
sort - _time
sort - Time
sort 0 _time
sort 0 - _time
sort 0 - Time
query: index=bro sourcetype=bro_http src_ip=1.2.3.4 | bucket _time span=1h | stats sum(bytes_out) by date_hour | rename sum(bytes_out) AS "Bytes out/hour" | sort _time
May be using timechart instead of "bucket..stats" resolve this. Timechart will give output in chronological order.
index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour"
Update:
Another option
index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour" | eval time=strftime(_time,"%H.%M") | table time "Bytes out/hour"
Updated:
for multiple src_ip
index=bro sourcetype=bro_http src_ip=1.2.3.4 OR src_ip=5.6.7.8 OR src_ip=9.10.11.12| timechart span=1h sum(bytes_out) as "Bytes out/hour" by src_ip | eval time=strftime(_time,"%H.%M") | fields - _time| table time *
May be using timechart instead of "bucket..stats" resolve this. Timechart will give output in chronological order.
index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour"
Update:
Another option
index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour" | eval time=strftime(_time,"%H.%M") | table time "Bytes out/hour"
Updated:
for multiple src_ip
index=bro sourcetype=bro_http src_ip=1.2.3.4 OR src_ip=5.6.7.8 OR src_ip=9.10.11.12| timechart span=1h sum(bytes_out) as "Bytes out/hour" by src_ip | eval time=strftime(_time,"%H.%M") | fields - _time| table time *
Thank you again! I'm working out your responses line by line to really understand it.
Removing the _time field (replacing it with a regular field) make it a regular (x,y) chart.
For multiple IP address, see the last updated answer.
The second query is exactly what I was looking for! When I've used timecharts in the past, you cannot dictate the number of "ticks" on the x-axis (like in your first suggestion) which is why I was using buckets, yet the second query shows every hour. What about the second query forces it to show each tick mark?
EDIT: Also, could you suggest a way to graph this for 3 source IP addresses (3 lines showing bytes out per hour)?