Greetings
I'm using the following query over 24hrs.
| initial search
| timechart useother=f span=1h avg(field1) by field2 where avg > 100
| fields - NULL
And I get results for that meet that criteria, but when I increase the numeric value from > 100 to > 400, I get zero results even though I should see at least one or two fields from "field2" populate. Any thoughts on what is causing my dilemma?
you could do something like this
initial search
| stats avg(field1) AS avg by _time, field2 | where avg > 100 | xyseries _time field2 sum
you could do something like this
initial search
| stats avg(field1) AS avg by _time, field2 | where avg > 100 | xyseries _time field2 sum
That will actually work for what I'm trying to accomplish, thank you!
Try-
| timechart limit=0 span=1h avg(field1) AS avg by field2 | where avg > 200
Thank you for the suggestion but that doesn't seem to work either.
pls accept the answer to close tracking.
Pls change your search as below and re-test
initial search
| timechart useother=f span=1h avg(field1) AS avg by field2 where avg > 100
Thank you for the suggestion, but the data still disappears when I increase the numeric value to 200 even though there should be results.
do you see avg more than 200 when you run
initial search
| timechart useother=f span=1h avg(field1) AS avg by field2 | where avg > 100
No, nothing populates regardless of the numeric value when I pipe the where clause to its own line I'm afraid.