So I have a dashboard currently that runs 6 reports to build all of it's widgets. Basically 1 per widget. The issue is that the data each widget is summing over is huge. So instead of 6 large reports I'd prefer to have 1 huge report that each widget uses.
The issue I'm having is that the base report I want looks vaguely like this:
index=theIndex data_type=raw OR (data_type=error AND error_reason="Unknown*") | bin _time span=5m | stats count by _time,data_type,relay,alias
So simple enough really. Just going "gimme this data", dropping it into 5m bins, then give me a big table broken down by time, data_type, relay and alias. Great.
But when I want to make a time chart off of this report in a dashboard as a base search I run into some issues. When I tried the query in just plain search I threw in
| timechart span=5m count by data_type
in the dashboard search code. It just gave back the count of different relay and aliases per time period.
I know I need to grab the count value from the stats but I'm unsure of how to do it properly.
Thanks!
... View more