So I think this may be a bug. Timewrap seems to only take single number h,w,m values.
For example, this
sourcetype="wineventlog:application" "Type=Warning" "EventCode=1" earliest=-4w | timechart count span=1h | timewrap 19h series=relative
Will plot graphs of every 9 hours, NOT every 19 hours.
Ditto if I make it timewrap 11h, it will be 1 hour not 11 hours.
Comments?
I also threw in a new command called 'drilldown' that handles "* | top 10 host useother=t", which allows you to drilldown on 'other' values and do the right thing.
I also threw in a new command called 'drilldown' that handles "* | top 10 host useother=t", which allows you to drilldown on 'other' values and do the right thing.