Hi all!
I've set up several eventtypes with the same tag. I'm now trying to use timechart but getting unexpected NULL eventtype.
Search example:
host="production" tag="mytag" | timechart span=1w count by eventtype
Somehow this is coming back with a NULL eventtype, despite the search alone returning as expected. All of the eventtypes start with the same word (e.g. "myevent_100", "myevent_101", etc.) so I also tried this and get the same strange NULL on the timechart:
host="production" eventtype="myevent*" | timechart span=1w count by eventtype
What am I missing here? Thanks!
Problem here is that eventtype can be multivalued and is otherwise "special" as a knowledge object. You can try doing
host="production" eventtype="myevent*"
| eval SingleValueEventtype=mvindex(0, eventtype)
| timechart span=1w count by SingleValueEventtype
I wrestled with this one a long time ago. Lookups by eventtype are also very problematic.