Why must queries in dashboards have a group-by operator?

Comments

2 comments

  • Avatar
    Matt Weick

    Was this ever answered?

    0
    Comment actions Permalink
  • Avatar
    Mario Sanchez

    Matt and Chris,

    In short, Dashboards require some grouping operator (Sum, Count, Avg) to avoid trying to chart/display a Panel that could potentially have 1000's of results. You will be able to chart your results if you edit your query to this:

    _source="My Logs" and "ERROR"
    | count by _sourceName
    | top 5 _sourceName by _count
    | sort by _sourceName asc

    A few things to note here:

    1. I removed the parse statement since you were not using it as part of the results, but I added the keword "Error" to the first line, to filter only the desired messages.
    2. I added the count operator to make it explicit and allow these results to be added to a Dashboard Panel
    3. I added asc to the sort (ascending)   

     

     

     

    Hope this helps!

     

    0
    Comment actions Permalink

Please sign in to leave a comment.