I have a base search ("BaseSearch-SyslogsBro") that is scheduled to run daily in the morning which is utilized within a dashboard.
index=bro source=/opt/bro/logs/current/syslog.log | fields severity, asa_session, asa_code, id.orig_h, id.resp_h, msg_
Within the dashboard, I have different panels. In particular, I have one where I am hoping to show a timechart count by the severity field.
<form>
<label>Syslogs Bro</label>
<search id="base_search" ref="BaseSearch-SyslogsBro">
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Timechart</title>
<search base="base_search">
<query>| timechart count by severity</query>
</search>
<option name="charting.chart">area</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>
As mentioned before, the base search is scheduled to run daily, but also with Time Range of the last 24 hours. My problem is that currently, whenever I ran this dashboard, the timechart only displays results for the last 3-4 hours (Not the entire 24 hour frame).
Based on the code shown above and my base search, what am I doing wrong? Is there something wrong with my code/logic?
I appreciate any comments/guidance/hints.
Thanks,
... View more