Tried to use the below query but unfortunately events are grouped with reference to _time
index=omi_UAT host=* sourcetype=all_events_custom_attributes SEVERITY IN (CRITICAL,MAJOR,MINOR) OR (SEVERITY=WARNING AND APPLICATION=NNMi)
| dedup ID
| timechart count(ID) BY SEVERITY
Try this. It assumes TIME_CREATED is in epoch form.
index=omi_UAT host=* sourcetype=all_events_custom_attributes SEVERITY IN (CRITICAL,MAJOR,MINOR) OR (SEVERITY=WARNING AND APPLICATION=NNMi)
| dedup ID
| eval _time = TIME_CREATED
| timechart count(ID) BY SEVERITY
Try this. It assumes TIME_CREATED is in epoch form.
index=omi_UAT host=* sourcetype=all_events_custom_attributes SEVERITY IN (CRITICAL,MAJOR,MINOR) OR (SEVERITY=WARNING AND APPLICATION=NNMi)
| dedup ID
| eval _time = TIME_CREATED
| timechart count(ID) BY SEVERITY
Sorry it didn't worked, TIME_CREATED is in the format "2019-12-13 13:32:25.0"
So convert it.
index=omi_UAT host=* sourcetype=all_events_custom_attributes SEVERITY IN (CRITICAL,MAJOR,MINOR) OR (SEVERITY=WARNING AND APPLICATION=NNMi)
| dedup ID
| eval _time = strptime(TIME_CREATED, "%Y-%m-%d %H:%M:%S.%N")
| timechart count(ID) BY SEVERITY