Is there a way to timeslice by a different date than messagetime? My use case is that I most of my sumologic analytics are running in PT, but I have a particular process whose results I need to analyze in daily buckets in UTC. My ideal would be to define a new date with the offset from messagetime and then feed that into timeslice, but I can't find a way to do that.
As a workaround, I'm formatting my custom date as YYYY-MM-DD and grouping by that date, but I don't get the benefits from timeslice like creating empty buckets for missing dates, which means that the bars in my various dashboard charts don't line up with each other, and that's really confusing to look at.
Here's what I'm currently doing:
(previous steps) | formatDate(_messageTime, "YYYY-MM-dd", "UTC") as utcDate | count by utcDate, myGroup | transpose row utcDate column myGroup
I've tried to use fillmissing but haven't gotten it to work yet. Here's an example of how I'm trying to use fillmissing:
(previous steps) | formatDate(_messageTime, "YYYY-MM-dd", "UTC") as utcDate | count by utcDate, myGroup | fillmissing timeslice (1d) in utcDate | transpose row utcDate column myGroup
Please sign in to leave a comment.