Hello,
I can't for the life of me figure out what am I doing wrong here.
I'm trying to keep track of total running transactions, my logfiles are more or less of the following syntax:
timestamp host=$host transaction_count=12345
I am trying to calculate total number of transaction per host. The log entries don't occur regularly, there may be days until a given host has any transaction.
The following:
...| bin _time |stats sum(transaction_count) as transaction_count by host,_time |streamstats sum(transaction_count) as transaction_count by host |timechart last(transaction_count) by host
seems to be more or less working, although why I need the first stats I am not sure. However, due to 1 day span most of my actual table entries are empty, and as such, once I plot the data in a report, it looks very ugly. As the "connect" option sometimes inexplicably drops the values to zero in the multi-series area graph (another slight mystery to me), although it's supposed to be a cumulative value, is there a way to force streamstats to populate those empty spots in my table with the last earlier "known" value? In other words, if I have a value of 100 at timestamp 12:00, and 200 at timestamp 15:00, with span=1h, can I backfill the 13:00 and 14:00 values with 100?
Thanks in advance!
... View more