I'm sure there is an easy answer for this and I'm going feel silly when I see it. I have a scripted input that pulls volume data for several volumes every 5 minutes. I would like to see the change in used terabytes of the combined volumes over time (each volume has a used_tb key/value pair in the log). For short timeperiods, I can do...
... | timechart span=5m sum(used_tb)
but when once I need to go beyond the last 24 hours, this breaks down. I can do...
... | timechart span=1h min(used_tb) by volume
and then use an area graph in stacked mode to get the idea, but I can't get an accurate measure when I hover over the graph (the pop up is for the individual volumes).
I thought that nesting the functions...
... | timechart span=1h sum(min(used_tb) by volume)
would work, but this produces no values.
What really easy thing am I missing here?
This one should work:
... | bucket _time span=1h | stats min(used_tb) as min_used by volume,_time | timechart span=1h sum(min_used)
This one should work:
... | bucket _time span=1h | stats min(used_tb) as min_used by volume,_time | timechart span=1h sum(min_used)
Brilliant! That did the trick.
forgot to add time to the split-by clause of the stats. modified the search in the answer...
That search still doesn't produce any charting results. I have played w/ bucketing and eval but no luck.