Howdy.
So I have two searches, which I have been asked to turn into "easy visualizations" so non-techies can look at it and go "This is bad, open a ticket."
Simple
index=location |search LockedStatus=Locked |rename UserAccountEntry as User |stats count as total by Location | sort 10 -total
Detailed
index=location |search LockedStatus=Locked |rename UserAccountEntry as User |stats count by Location User | stats list(User) as User list(count) as PerUser_count sum(count) as Total by Location | sort 10 -Total
(example of output of the details attached)
![alt text][1]
Just using the Visualization tab does not give me anything on a Marker Gauge, while the Single Value shows the location with the highest count. My understanding is they want to show the total number of today's account locks on the Marker Gauge and on the Single Value show today and show if its higher or lower then yesterday and by how much.
Having not used these before, looking for guidance.
Thanks
[1]: /storage/temp/159176-2016-09-09-8-30-07.jpg
↧
How do I modify my search so that it will show either a Marker Gauge or Single Value visualization?
↧