Hi ,
I have a query that looks like this
earliest=-100hr index=blahalarm STATUS=readyArmed OR STATUS=ready OR STATUS=notReady|mvexpand notReady|mvexpand ready|mvexpand readyArmed|mvexpand _time|timechart span=1hr values(field2) by STATUS
but the resulting dataset comes back as this. I'm confused, why wouldn't mvexpand create multiple events?
FIxed it. My data was coming in with 15min increments but my span=1hr, once I set my span to 15min all is well
FIxed it. My data was coming in with 15min increments but my span=1hr, once I set my span to 15min all is well
Doesn't the final timechart span=1h
bring the events back into 1h buckets? The result looks like what I'd expect. Can you say more about what you're trying to achieve?