I'm using summary index to get data and display in timechart. but not able to create a time chart with the data.
index = summary_dm search_name = Instance_count | table total_Instancecount _time
(total_Instancecount, _time) these are the two fields
summary in is created by using
index = application cf_org = cf_space = cf_app = instance_index = |bucket _time span=1min| dedup cf_org cf_space cf_app instance_index | timechart span=1min count(instance_index) by cf_app| addtotals fieldname = Total_instances | fields _time Total_instances
report is scheduled using above query
summary index is populated with _time total_Instancecount.
Try this:
index = summary_dm search_name = Instance_count
| timechart sum(Total_instances) AS Total_instances
@kirrusk what is the frequency of your summary indexing? Also how is summary index being created? For plotting timechart what is the span you are looking for
index = summary_dm search_name = Instance_count
| timechart sum(total_Instancecount) as total_Instancecount
summary in is created by using
index = application cf_org = * cf_space = * cf_app = * instance_index = * |bucket _time span=1min| dedup cf_org cf_space cf_app instance_index | timechart span=1min count(instance_index) by cf_app| addtotals fieldname = Total_instances | fields _time Total_instances
report is scheduled using above query
summary index is populated with _time Total_instances.
@kirrusk did you try the above query? Does it work for you?