These are my events :
Based on the below info I want to crate a stackable bar graph that shows 2 errors "luchip" and "xmchip" in different colors
10/11/16
7:13:37.000 AM
2016/10/11 07:13:37| 2767| 2672| 20711| DCNETWORK| DCNETWORK| DNYOD2-J1|07:13:37 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-dnyod2-j1-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc0 **xmchip*(0): li0: received a parcel from the hsl2 interface with eope
10/11/16
7:13:32.000 AM
2016/10/11 07:13:32| 2766| 2672| 20711| DCNETWORK| DCNETWORK| DNYOD2-J1|07:13:32 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-dnyod2-j1-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc0 **luchip(*0) ppe_12 errors lmem data error 0x0000026c
10/7/16
2:49:35.000 PM
2016/10/07 14:49:35| 2902| 2672| 20711| DCNETWORK| DCNETWORK| PNYOD2-J2|14:49:34 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-pnyod2-j2-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc0 **luchip(5) ppe_4 errors lmem data error 0x00000127
10/6/16
10:07:26.000 AM
*2016/10/06 10:07:26| 6713| 2672| 20711| DCNETWORK| DCNETWORK| PNJR-J10|10:07:26 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-pnjr-j10-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc2 **xmchip(*1): wo1: packet error - error packets 1, stream 29
10/6/16
10:07:21.000 AM
*2016/10/06 10:07:21| 6709| 2672| 20711| DCNETWORK| DCNETWORK| PNJR-J10|10:07:21 DCNETWORK: [critical] %DCNETWORK-CORE-WP-bbswatch-pnjr-j10-syslog-default-err% {anjr-nm2} dc-core: almn-core-wp: fpc2 cadg7441: xmchip(1): ddrif: checksum error for wo1 - channel 6, address 0x4a040, checksum errors 1, checksum poison count 0
Try this
base search | rex "(?<err_type>xmchip|luchip)" | timechart count by err_type
*UPDATED*
base search | rex "(?<err_type>xmchip|luchip)" | chart count over netdevice by err_type
Assuming that "dc-core: almn-core-wp:" always appear before fpcN (xmchip OR luchip) and timestamps are present for indexed data then you can try below:
Take care to remove the space in the tags < fpc> and < chipType> before running the below command
yourBaseSearchToGetAllAboveLogs
| rex field=_raw ".dc-core: almn-core-wp:\s+(?< fpc>[^\s]+)\s?(?< chipType>[^\s\(]+)"
|timechart count by chipType
Note: Only the chip name (xmchip or luchip) is extracted by regex. I have ignored the * and the "(number)" from the chip name. (But that can be extracted too)
Try this
base search | rex "(?<err_type>xmchip|luchip)" | timechart count by err_type
*UPDATED*
base search | rex "(?<err_type>xmchip|luchip)" | chart count over netdevice by err_type
Thanks .
But the issue now is "if I use the above logic , it creates the stackable graph , but it removes the names of the devices (netdevice) . If I use the names then the graph does not shwo up as stacked for both xmchip and luchip
Try chart instead of timechart. See updated answer
That worked.
Thanks a lot.