I am planning to plot Unique error messages by a service with time, but don't know how to grab unique value. I can map the unique error message by time , but the point is to plot them by service and then time on the x-axis.

I believe it can be done by the table command, but how do I use table with a unique value of error by service.

Gives Timechart by error message:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | timechart count by error_msg

Gives Timechart by service:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | timechart count by service

I want to plot by time which should show error msg by service, but this doesn't work:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | stats dc(error_msg) by service

I want the service names in the legend, showing the count and description of unique error when I hover the mouse on the line chart.