We have a summary index called summary_site_stats,
One of the saved searches that adds data to that summary index is named:
summary - count by status not 2xx:
count=* and status=*
This search has 2 fields in it
06/16/2016 16:58:00 +0000, search_name="summary - count by status not 2xx", search_now=1466099880.000, info_min_time=1466096280.000, info_max_time=1466099880.000, info_search_time=1466099884.303, count=448, status=504
Using this search I am able to create a timechart of the values:
index=summary_site_stats search_name="summary - count by status not 2xx" status=* | rename count as mycount | timechart values(mycount) by status useother=f
it works if I run it over a 2 hour span, but if I run it for anything more, such as 7 days or 30 days the timechart is blank.
↧