How can I create a time series query based on multiple values available in a field?
I'm creating a time series graph to return multiple HTTP status code responses which are currently defined as multiple queries using a 'hard-coded' response. A loose query example would look similar to this:
"HTTP/1.1 200"
| timeslice 5m
| count by _timeslice
"HTTP/1.1 400"
| timeslice 5m
| count by _timeslice
However, the ideal approach would be to create a single time series query in which it returns all values in the status_code field, and creates a new graph line per status_code response. Something along the lines of using a parsed variable like this:
| parse regex "HTTP/1\.1 (?<status_code>\d{3})"
The idea would be that only the status_codes that exist would create multiple line graphs instead of using hard coded response values.
I've been looking through the documentation and maybe I've missed this somewhere. Could someone direct me in the right area of documentation to review how (or if) this can be done, or provide me with an example that could create multiple line graphs in one query using available values within the status_code responses?
-
Official comment
Hi dominic,
the usual approach here is to use transpose e.g
| count by _timeslice,status_code
| transpose row _timeslice column status_codeComment actions
Please sign in to leave a comment.
Comments
2 comments