HI,
i am trying to display ERROR count as a single value and using below search
index=myindex ERROR co_name=$co_name$ env_name=$env_name$ | timechart span=1m count | eval _time=_time-now()%3600 | sort +_time
If you need trend to be based on last an hour before the current one you need to add the following earliest and latest time to your base search (i.e. last 2 hours)
<earliest>-2h@h</earliest>
<latest>now</latest>
Your search query will change as following:
index=myindex ERROR co_name=$co_name$ env_name=$env_name$ | timechart span=1h count
And then edit Compared to to 1 hour before so that current hour stats are compared with previous hour for trending.
<option name="trendInterval">-1h</option>
This way you will current hour count as Single value and last hour count as trend indicator.
PS: Timeline will be restricted to only last two hour as per your need, but you can set -2h@h to even earlier value like -4h@h (last 4 hours) or even -0d@d (beginning of the day) to show hourly sparlike in the trend indicator. However, trend interval will remain 1 hour and current hour will always be compared with previous hour as set in above code block.
If you need trend to be based on last an hour before the current one you need to add the following earliest and latest time to your base search (i.e. last 2 hours)
<earliest>-2h@h</earliest>
<latest>now</latest>
Your search query will change as following:
index=myindex ERROR co_name=$co_name$ env_name=$env_name$ | timechart span=1h count
And then edit Compared to to 1 hour before so that current hour stats are compared with previous hour for trending.
<option name="trendInterval">-1h</option>
This way you will current hour count as Single value and last hour count as trend indicator.
PS: Timeline will be restricted to only last two hour as per your need, but you can set -2h@h to even earlier value like -4h@h (last 4 hours) or even -0d@d (beginning of the day) to show hourly sparlike in the trend indicator. However, trend interval will remain 1 hour and current hour will always be compared with previous hour as set in above code block.
Thank you,i updated the search string based on your suggestion and its working perfectly
Why not just add on a '| stats count' or a '|stats count | table count' on the end, that would give you a count of the events you have found.
HI,
i would like to display and want to change this so it shows the continuous last 60 minutes. So if the search is run at 17:00 the single value would show 15:00 to 16:00 and the trend arrow and value with compare is 14:00 to 15:00
Take a look here, it mentions a timechart command may produce the result you want:
link text
So you may already have the code you need. Have you tried looking at the options for the trend in the xml?