How to make charts with derived fields

Follow

Ken Bell

• December 16, 2020 17:45

I have a simple query which gives me a single value.

json auto keys "message"
| parse "view [*] bus [*]" as receivedEvents, filteredEvents
| sum(receivedEvents) as received, sum(filteredEvents) as filtered
| received - filtered as totalFiltered
| fields totalFiltered

I need to make a timecourse line chart.
I tried adding timeslice 1h then sum(totalFiltered), but that is bad ssyntax.

json auto keys "message"
| parse "view [*] bus [*]" as receivedEvents, filteredEvents
| sum(receivedEvents) as received, sum(filteredEvents) as filtered
| received - filtered as totalFiltered
| timeslice 1h
| sum( totalFiltered ) by _timeslice

I tried several wrong variations on this, but I don't know how to get the line chart I want.

 

0

• 

  Shobhit Garg

  • December 21, 2020 08:07

  Hi Ken,

  To have a chart, the query should be aggregated, and it looks to be aggregated queries.

  Can you let us know what happens when you try to make a line chart?

  Regards,

  Shobhit

  0

  Comment actions Permalink

Please sign in to leave a comment.