Hi ,
I have a timechart with different columns. I want to display those events from a time chart which are continuous at least for 10 minutes.
I want to group the events which are marked red and yellow on based on the time or event. Help required.
Give this a shot (check the field names)
your current search with timechart | streamstats current=f windows=1 values('Total Error') as prev_error values('Total Auth') as prev_auth
| where (prev_error='Total Error' AND 'Total Error'!=0) OR (prev_auth='Total Auth' AND 'Total Auth'!=0)
Are the column names fixed in your time chart?
yes they are , these are spikes in the Total Errors and authorization and authentication failures respectively .