Hi,
Below is the search I am using to find the report_ID values that have top count.
index=apache_web sourcetype=apache_hots host=abc | stats count by report_ID
Below is the output of the above query.
report_ID count
17615 25
12344 4
12435 2
11084 6
12181 9
13314 3
13945 2
13955 2
But i would like to see the visuali zation that shows when the report_ID occurred. For example, if the report_ID 17615 has 25 count but i would like to see time series visualization.
Like this?
index=apache_web sourcetype=apache_hots host=abc
| timechart dc(report_ID)
Or maybe this?
index=apache_web sourcetype=apache_hots host=abc
| timechart count by report_ID