(this may be a duplicate, as I wrote a version of this question before registering and can't find it)
I have a situation where I have a have a column of values and want to use the maximum of all events as a value for use in a timechart by 1h span. Note: I'm a newbie.
For example: I have a column with the values [0, 73, 103, 171, 119] in my timechart 1h span - for 5 hours. I want to use the max value to populate all rows of another colum - in this case 171.
I tried the something like the following snippet, which of course didn't work (or I wouldn't be writing this):
| eval myFlag= if(like(myString, "%My Message%"), "true", "false")
| eval maxCount = 0
| foreach * [eval maxCount = if(myFlag="true", maxCount + 1, 0)]
| timechart count(eval(myFlag=="true")) as errorCount, max(maxCount) as maxErrorCount span=1h
Help appreciated!
↧