So let's start with what I have. What's getting me good data:
sourcetype=xfer AND (XferStatus="*Beginning*") OR (XferStatus="*completed*")
I've already done a field extraction and called it XferStatus. Basically what it's doing is looking in my Transfer log for a key phrase of "http - 80". I'm then evaluating it to pull just the transfer starts or endings.
What I need to do is end up with a line chart that shows the rise and fall of Beginnings vs Completions over a 4 hour window.
Where I'm stuck is that I can't figure out a way to have it count Beginnings and Completions, because they are both searches on the XferStatus field. I'm happy not renaming them if I can get a timechart built off a search, but I can't seem to get that right either.
Help, please!
... View more