Normally, the time resolution adjusts itself, seemingly trying to keep the number of bars shown below some "reasonable" limit. So if I search "The last 30 days", I will get bars by the day. If I search "The last 4 hours", I will bars by the minute.
How do I adjust that? I want to have a per second resolution, but over a larger time span than just a few minutes.
Hi letharion,
it depends on how you show your bars using graphs... if you're using timechart
simply do something like this:
your base search | timechart span=1sec count
this will give you for each second a bar of all event counts. If you're using chart
or stats
you can do something like this:
your base search | bucket _time span=1sec | chart count over _time
your base search | bucket _time span=1sec | stats count by _time
hope this helps ...
cheers, MuS
Hi letharion,
it depends on how you show your bars using graphs... if you're using timechart
simply do something like this:
your base search | timechart span=1sec count
this will give you for each second a bar of all event counts. If you're using chart
or stats
you can do something like this:
your base search | bucket _time span=1sec | chart count over _time
your base search | bucket _time span=1sec | stats count by _time
hope this helps ...
cheers, MuS