All I want is a table like this with a little style:
_time INDEX1 (events) INDEX2 (events) INDEX3 (events)
2015-12-03 822 2,211 1,312,118
2015-12-02 1,133 2,104 982,127
2015-12-01 1,320 2,612 991,815
"a little style" means all numbers with commas, convert all lower-case index-name to upper-case letter.
First I run a summary search everyday as *|sitimechart span=1d count by index
Then my search string:
index=summary search_name="events count summary"
[search index=summary search_name="events count summary" earliest=-5d | fields orig_index | return 1000 orig_index]
## trying to ignore old indexes.
| bin _time span=1d
| stats count by _time orig_index
| rename orig_index as index
| append [search earliest=-0d@d | fields index | bin _time span=1d | stats count by _time index]
## append today's events
| fieldformat count=tostring(count,"commas")
| eval index=upper(index)+" (events)"
| xyseries _time index count
| fields - VALUE_*
## remove some unexpected fields
| sort - _time
but all commas get lost after the xyseries command.
Could anyone help me with this? or just ignore all above and offer me a pretty one?
Another problem:
...| stats count by _time index | timechart values(count) by index span=1d
I first use timechart instead of xyseries , any other numerical field is OK, but 'count', it combines _time to months and makes values(count) a multivalue field. That confused me.
... View more