create a time chart with unique count if field A per field B against time
this is what I have:
| timeslice 1h
| count _timeslice, version
| transpose row _timeslice column version
i have 10 devices(1-10) with 2 versions(v1,v2) and I want a time chart of
time on xaxis and 5 on yaxis for both v1 and v2.
How do I do this? I basically want a distinct count of devices in version against time.
Appreciate any pointers
-
Hello Kevin.
Apologies for the delayed response. Thanks for describing the issue with the sample query. I read it and based on my understanding, I tried a similar query inhouse:
_sourceCategory="/Internal_Category" and _collector="pcname"
| parse "HTTP/1.1\" * * \"http" as version, Size
| where version= 200 or version= 302
| timeslice 1h
| count by _timeslice,versionNote: I'm querying the data for 4 hrs range & time-slicing it for 1hr . Here 200 and 302 are similar to v1 and v2 versions in your query. This gave me the following result:
# Time version _count
1 07/14/2021 1:00:00 PM -0700 302 4
2 07/14/2021 3:00:00 PM -0700 302 2
3 07/14/2021 1:00:00 PM -0700 200 39
4 07/14/2021 2:00:00 PM -0700 200 112
5 07/14/2021 3:00:00 PM -0700 200 53
6 07/14/2021 2:00:00 PM -0700 302 4
Then I added the transpose operator & I got the following result._sourceCategory="/prod/apache/access" and _collector="vchoudhary-mac"
| parse "HTTP/1.1\" * * \"http" as version, Size
| where version= 200 or version= 302
| timeslice 1h
| count by _timeslice,version
| transpose row _timeslice column version# Time 200 302
1 07/14/2021 1:00:00 PM -0700 38 4
2 07/14/2021 2:00:00 PM -0700 112 4
3 07/14/2021 3:00:00 PM -0700 53 2After this, when I created the line graph, I can see time on X-axis and 200,302 on the Y-axis. Please refer to the attached screenshot. Let me know if I'm missing anything here.
Regards,
Vishal
Please sign in to leave a comment.
Comments
1 comment