Hi ,
i have 3 fields host , swapfree, memoryfree in my index
i want to display count like this :
timechart span=1h count(swapfree) as swapfree , count(memoryfree) as memoryfree by host
problem is : i am passing swapfree and memory free as token and host also as token
can anyone help me in this :
in my timechart : x-axis: time , y-axis : bytes in swapfree , memoryfree for the host selected
What exactly is and isn't working with your current approach?
Also: if you want to chart the actual bytes, you shouldn't be using count()
as the aggregation function in the timechart
command. You probably want to use avg()
, min()
or max()
or earliest()
or latest()
depending on what exactly you want to display.
used tokens :
index=idix_infra_prod $swap$ $host$ source=Apigssor
| table _time host $swap$
| fields - OR
| timechart span=$span$ count by $swap$
translates to :
index=iod MemoryBuffers MemoryUsedPercent MemoryTotal (host="vgapx5vr") source=Apigor
| table _time host MemoryBuffers MemoryUsedPercent MemoryTotal
| fields - OR
| timechart span=1h count by MemoryBuffers MemoryUsedPercent MemoryTotal
if i try to do an average , this is the problem, token issue
index=idxrod $swap$ $host$ source=Apicessor
| table _time host $swap$
| fields - OR
| timechart span=$span$ avg($swap$)
index=idrod MemoryBuffers MemoryUsedPercent MemoryTotal (host="vgapx5vr") source=Apor
| table _time host MemoryBuffers MemoryUsedPercent MemoryTotal
| fields - OR
| timechart span=1h avg(MemoryBuffers MemoryUsedPercent MemoryTotal)
Sounds like you may need to rethink your token approach a bit, because avg(field1 field2 field3) of course will not work. Not an expert on tokens, but you can perhaps do some pre-processing on that token before passing it to the search, such that you can provide a specific token for the timechart command that actually takes the avg() of each of the fields rather than avg over a string containing multiple fieldnames.
when i am using one token , its working
but multiple tokens wen i am selecting using multiselct , its not working