Hi,
I'm displaying Pie chart with below query.
index=my_index sourcetype="my_log" keyword1 keyword2 "errorValue=" | rex field=_raw "keyword1 keyword2 (?<my_key>.*)#" | stats last(error) as last_error first(error) as first_error by action | eval error_count = abs(first_error - last_error) | fields - first_error last_error
The Pie chart shows different actions & its error counts.
How can I convert above query to display Timechart so that time will be on X-axis & Y-axis will have errorCount & Legend will be different actions?
Is that even possible?
Thanks!
Try this:
index=my_index sourcetype="my_log" keyword1 keyword2 "errorValue=" | rex field=_raw "keyword1 keyword2 (?<my_key>.*)#" | bucket _time span=1h | stats first(_time) AS time last(error) as last_error first(error) as first_error by action | eval error_count = abs(first_error - last_error) | chart error_count BY time,action
Change the span=1h
to whatever time-basis you would like for your X-axis legend.