Hello,
When using **timechart** without a **BY** this works.
index IN (idx)
AND host IN (server)
AND source IN (ssl_access_log)
AND sourcetype=access_combined
AND method IN (GET,POST)
AND file="confirm.jsp"
AND date_hour>=6 AND date_hour<=22 latest=+1d@d
| eval certsFiled=case(file="confirm.jsp","1")
| timechart count span=2min
| timewrap d series=short
| where _time >= relative_time(now(), "@d+6h+55min") AND _time <= relative_time(now(), "@d+22h")
| eval colname0 = strftime(relative_time(now(), "@d"),"%D-%a")
| eval colname1 = strftime(relative_time(now(), "-d@d"), "%D-%a")
| eval colname2 = strftime(relative_time(now(), "-2d@d"), "%D-%a")
| eval {colname0} = s0
| eval {colname1} = s1
| eval {colname2} = s2
| fields - s* col*
However, once adding the BY clause, the logic no longer works.
index IN (idx) sourcetype IN (ssl_access_log)
AND date_hour>=17 AND date_hour<=20 Exception OR MQException earliest=-7d@d latest=+1d@d
| rex "\s(?[a-zA-Z\.]+Exception)[:\s]"
| search exception=*
| eval exception=case(exception="MQException","mqX",
exception="com.ibm.mq.MQException","mqXibm")
| timechart count span=1m BY exception
| timewrap d series=short
| where _time >= relative_time(now(), "@d+17h") AND _time <= relative_time(now(), "@d+20h")
| eval colname0 = strftime(relative_time(now(), "@d"),"%D-%a")
| eval colname1 = strftime(relative_time(now(), "-d@d"), "%D-%a")
| eval colname2 = strftime(relative_time(now(), "-2d@d"), "%D-%a")
| eval {colname0} = s0
| eval {colname1} = s1
| eval {colname2} = s2
| fields - s* col*
This includes many more days (colname) and exceptions (removed for brevity).
Thanks and God bless,
Genesius
↧