I have two fields trigger0 and trigger that occur several times per hour and I would like the sum (number of occurrences) of both over a one-hour timespan. I tried a lot of things from the forum but I always get "no result found".
A few examples of what I've tried:
source="*0307.log*" trigger0=* trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h sum( eval(count(trigger) + count(trigger0)) ) as totaltrigger
source="*0307.log*" trigger0=* trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h count(trigger) count(trigger0)
It's the part after the last pipe that causes problem, I'm using the first part in other graphs.
Your search could be
source="*0307.log*" trigger0=* OR trigger=*
[ search trigger0=* | head 1
| eval earliest=relative_time(lastTime,"-15d")
| eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]
| eval triggerMain = trigger+ trigger0
| timechart span=1h count(triggerMain) as triggerMain
If for some reason that doesn't work, then you could also do
source="*0307.log*" trigger0=* OR trigger=*
[ search trigger0=* | head 1
| eval earliest=relative_time(lastTime,"-15d")
| eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]
| timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001
| eval triggerMain = trigger01+ trigger001
| fields - trigger01 trigger001
Also, I am unclear why you need all the fancy stuff for setting earliest and latest. You may get the same result by doing this:
source="*0307.log*" trigger0=* OR trigger=*
| eval triggerMain = trigger + trigger0
| timechart fixedrange=F span=1h count(triggerMain) as triggerMain
Your search could be
source="*0307.log*" trigger0=* OR trigger=*
[ search trigger0=* | head 1
| eval earliest=relative_time(lastTime,"-15d")
| eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]
| eval triggerMain = trigger+ trigger0
| timechart span=1h count(triggerMain) as triggerMain
If for some reason that doesn't work, then you could also do
source="*0307.log*" trigger0=* OR trigger=*
[ search trigger0=* | head 1
| eval earliest=relative_time(lastTime,"-15d")
| eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]
| timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001
| eval triggerMain = trigger01+ trigger001
| fields - trigger01 trigger001
Also, I am unclear why you need all the fancy stuff for setting earliest and latest. You may get the same result by doing this:
source="*0307.log*" trigger0=* OR trigger=*
| eval triggerMain = trigger + trigger0
| timechart fixedrange=F span=1h count(triggerMain) as triggerMain
Your second solution works fine. I need the fancy stuff because I only want to see the last 15 days of event and the latest event is not always "now".
Your first problem may be:
(trigger0=* OR trigger=*)
Without seeing more of what your data looks like I can't comment further on your search, but the "no result found" problem may be taken care of with using an OR between your trigger conditions if you don't have BOTH trigger0 and trigger in every event.
Again, without seeing more of what your data looks like, it is hard to tell what is wrong.
both are extracted fields and there are always present in different events.
an event looks like:
2015-02-22 23:59:35,255 INFO [0.809.1.31.] ......... Start executing rule with ID 304. Triggered by a MotionDetection at 05:59:35 (Utc).
Ok, I almost got it. This works:
source="*0307.log*" trigger0=* OR trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001| eval triggerMain = trigger01+ trigger001
But all three charts are displayed (trigger01,trigger001, triggerMain) and I would like to chart only triggerMain. I haven't managed so far
Try:
source="*0307.log*" trigger0=* OR trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h eval(count(trigger)+count(trigger0)) as triggerMain
@Cpetterborg 's solution works fine and looks easier than lguinn