Hello all, how do I create a timely dummy event (without using "|lookup" external file) to compare with the real generated events to show as a chart.
**These logs are generated every 3 hours**
_raw event example:
2017-09-04 02:07:00,630 LOG - Code for SERVICE is :1
2017-09-04 05:10:08,450 LOG - Code for SERVICE is :0
2017-09-04 11:05:44,230 LOG - Code for SERVICE is :0
And sometimes the event is not created, as the example shows the event for 08 am didn't occur, but I need to map it as well.
Current search:
base search
| rex "extracted event_time from _raw"
| eval Status = case(like(_raw, "%SERVICE is :0%"), "Success", like(_raw, "%SERVICE is :%"), "Failed")
| eval _time=strftime(strptime(event_time, "%Y-%m-%d %H:%M:%S"), "%Y/%m/%d %H:%M")
| chart count(Status) over _time by Status
Desired Result:
_time Success Failed No Event
2017/09/04 02:07 0 1 0
2017/09/04 05:10 0 1 0
2017/09/04 08:00 0 0 1
2017/09/04 11:05 0 1 0
I did use "| timechart" but the method doesn't show the exact event time.
Thanks!
↧