I am trying to create a timechart by 2 fields
Here is what I tried:
source=abc CounterName="\Process(System)\% Processor Time"| timechart span=1h avg(CounterValue) by RoleInstance CounterName
Any idea how this could be achieved?
how about
source=abc CounterName="\Process(System)\% Processor Time" | stas count by RoleInstance,CounterName
view the visualization tab to get charts afterwards
You can use the following and view the visualization tab
|stats count by field1,field2
span is not working with chart. But I tried something below which works for me
chart perc90(s), count(s) by host
Something like this
source=abc CounterName="\Process(System)\% Processor Time" | eval Role_Counter=RoleInstance + "#" + CounterName| timechart span=1h avg(CounterValue) by Role_Counter
timechart values(foo) by bar
Is the same like
chart values(foo) over_time by bar
But like linu said chart can have more then one by clause
This is an older one - but for reference:
I don't think, that this is completely true. chart
can have a and a . It's more flexible than timechart
as the can be something other than _time
. But you only have these to split-options (I believe, it was the same in 2014 with version 6.0.# or older).
If I'm wrong, just tell me so I can learn more and more...
chart does support more fields. why to limit urself with timechart. They almost do the same.
Time chart just work with one field in "by" clause. You can concatenate multiple field into one and use in timechart.
Can we scale this to more than 2 fields?
or bucket _time span=1h|chart avg(CounterValue) by RoleInstance,CounterName
You can concat both the fields into one field and do a timechart on that.