Hi,
I want to see multiple trendlines in a single graph, for multiple values.
My end-goal is to to have trendlines for each type of errors, so I can define an alert if any specific error had grown in comparison to the moving average count of that specific error. Something like (simplified):
sourcetype=x ERROR | timechart span=1m count as error_count | trendline sma10(error_count) as moving_avg_errors | eval spike=if(error_count > 2 * moving_avg_errors, 1000, 0)
This gives me a good output in total to all errors.
However, I want to see different errors separately.
When I do the following:
sourcetype=x ERROR | timechart span=1m count by error_msg limit=100
This gives me a timechart count of various error messages I have in my logs.
I would like to see independent trendlines for each of these messages.
Using "trendline sma10(?) as moving_avg_errors" obviously doesn't work this time, since it requires a specific field to work against.
How can I achieve this?
Am I looking at this search the wrong way?
Is it possible to make use of foreach in this case somehow?
Thanks for your help!
... View more