I've read over all of the other variations of this question, but I haven't been able to make this work.
I have a search that runs for the Last 7 days that checks for events between 08:30 and 17:30 and then charts out a numerical value known as 'capture_value'. The end goal is to have each date as its own line along the same time frame. The time value that is used is a field in the log file rather than _time, however, I have been able to modify the search to use `strftime(_time, "%H:%M:%S")` and it works just the same. As the data comes in 5 minute increments, there are too many data points to display along the x-axis.
Is it possible to change this to be every hour or 30 minutes? I have tried to make this work with a timechart, but it doesn't give the results broken down by date over time like I want.
host=production source=madeup_source.csv (capture_time >= "08:30:00" AND capture_time <= "17:30:00") | chart values(capture_value) as COUNT by capture_time, capture_date useother=f limit=0
↧