Took the below example from documentation....
Chart a single day's views and purchases at the Buttercup Games online store.
sourcetype=access_* | timechart per_hour(eval(method="GET")) AS Views, per_hour(eval(action="purchase")) AS Purchases
Want to do something similar but need to timechart count for all the events to host=wap4* and to host=wap5*
Don't want a side by side chart...
Try this
sourcetype=access_* | timechart per_hour(eval(LIKE(host,"wap4%"))) AS wap4Count, per_hour(eval(LIKE(host,"wap5%"))) AS wap5Count
Note that * is replaced by %
Great.. I have converted my comment as answer. Please accept the answer if there are no followup question.
Cool... it works!!!!
Try this
sourcetype=access_* | timechart per_hour(eval(LIKE(host,"wap4%"))) AS wap4Count, per_hour(eval(LIKE(host,"wap5%"))) AS wap5Count
Note that * is replaced by %
I hope you are able to see the * after wap4 and wap5
close... but what i want to do is
sourcetype=access_* | timechart per_hour(eval(host="wap4*")) AS wap4Count, per_hour(eval(host="wap5*")) AS wap5Count
This doesn't work.
the below one was also close but then it also doesn't work with wild cards..
source=usgs | eval Description=case(depth<=70, "Shallow", depth>70 AND depth<=300, "Mid", depth>300, "Deep") | stats count min(mag) max(mag) by Description
Are you looking for something like this:-
sourcetype=access_* | timechart per_hour(eval(host="wap4")) AS wap4Count, per_hour(eval(host="wap5")) AS wap5Count
Any help on this one?
I am not looking to filter but timechart count by host where host can 2 types... one which starts with wap4 and another that starts with wap3...
I am not looking to filter but timechart count by host where host can 2 types... one which starts with wap4* and another that starts with wap3*...
If all you want to do is filter so that you only get events from those two hosts, just add those as search filters in your base search:
sourcetype=access_* host=wap4* host=wap5* | timechart per_hour(eval(method="GET")) AS Views, per_hour(eval(action="purchase")) AS Purchases
...assuming the destination host is in the "host" field. If it's in another field, just use that instead.
want to group wap4* as 1 type of host and wap3* as another type. Don't want individual time chart
Just add by host in the timechart.