Hi!
I have a scenario where we have used "| stats count" and gotten the total number for the range that we picked. This has been working fine but now we'd like to use timechart to get trends.
However, when using timechart the number becomes the latest "bucket" instead of the total number.
Example:
Searching with a time range of 60 minutes would give me the value for the last minute.
Been fiddling around with some suggestions but haven't found a reliable solution. This last one:
| timechart [search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=if(round(timerange/3600) == infinity, 1, round(timerange/3600))."h" | return span] count | appendpipe [stats count | where count=0]
generates errors like "Error in timechart command. The value for option span (infinityh) is invalid.
Any ideas of what I'm doing wrong?
/Patrik
↧