I want to create a scheduled report that would count how many log files we’ve received in last hour. This is what I’ve written:
tstats dc(source) as "source" where index=“myindex”
Its working well, but I can’t figure out how to create a chart from it. I’ve tried chart and timechart commands, but I must be doing something wrong. I want it to run against the data for last 48 hours and I want the chart to have a span of 1 hour so I can see/show how many log files Splunk is getting in that one hour.
↧