Hi,
I have a dashboard where I'm running a timechart search with tstats. I want to increase the default number of bins for the tstats command, so that if I search for the last 7 days, I get more than only 7 bins. I have a solution to this that works almost fine, shown below.
| tstats local=f prestats=f count WHERE index=main BY _indextime, _time [search index=main | head 1 | eval span=tostring(ceil((now()-relative_time(now(), "$time_token.earliest$"))/500))."s" | return span] | eval diff=_indextime-_time | fields - count | timechart bins=500 cont=t avg(diff) AS "Average", median(diff) As "Median" | eval Threshold=3600
The sub-search here is the key part. It extracts the duration from the sat time with the time picker, and divides it by 500. For example, if I search for the last 7 days, the returned span for tstats will be 1331s. I'll copy it inn below.
[search index=main | head 1 | eval span=tostring(ceil((now()-relative_time(now(), "$time_token.earliest$"))/500))."s" | return span]
Two problems:
Any help is greatly appreciated, thanks!
Assuming the timerange picker is applied to your main search (with tstats) as well, you can replace your span subsearch like this
| tstats local=f prestats=f count WHERE index=main BY _indextime, _time [| gentimes start=-1 | addinfo | eval span=tostring(ceil((info_max_time-info_min_time)/500))."s" | return span] | eval diff=_indextime-_time | fields - count | timechart bins=500 cont=t avg(diff) AS "Average", median(diff) As "Median" | eval Threshold=3600
The key here is addinfo command which extracts current time range into info_min_time (earliest) and info_max_time (latest) fields.
Assuming the timerange picker is applied to your main search (with tstats) as well, you can replace your span subsearch like this
| tstats local=f prestats=f count WHERE index=main BY _indextime, _time [| gentimes start=-1 | addinfo | eval span=tostring(ceil((info_max_time-info_min_time)/500))."s" | return span] | eval diff=_indextime-_time | fields - count | timechart bins=500 cont=t avg(diff) AS "Average", median(diff) As "Median" | eval Threshold=3600
The key here is addinfo command which extracts current time range into info_min_time (earliest) and info_max_time (latest) fields.
Works perfect, thank you!
Though, someone recommended me to use makeresults instead of gentimes. Is there any practical difference?
Exactly right.
it might help
eval latest_time = $time_token.latest$ | eval span=tostring(ceil((latest_time-relative_time(now(), "$time_token.earliest$"))/500))."s"