I've given all my data 1 of 3 possible event types. In addition, each event has a field "foo" (which contains roughly 3 values).
What I want to do is....
-For each value in field foo
-count the number of occurrences for each event type
-Plot those counts over time.
I would expect that the resultant timechart would have ~3^3 lines with data points for each day.
How would I do this?
Like this:
Your Base Search Here
| eval foo2 = eventtype . "/" . foo
| timechart count BY foo2
Provided eventtype
is never multi-valued.
This would have worked absolutely perfectly if each of my events didn't have multiple event types assigned to them.
... | bucket span=1d _time | chart count(eventtype) over foo by _time
Perfect!!! Thanks a ton!!!
Actually, thats not quite right. I'd be expecting ~36 different line and I'm not....