I want to set up a Bar graph that displays more than one field when I hover over it. For example I use:
search | chart count over host by IP_address
so this is displaying just the host on the actual graph BUT also shows me the IP_address if I hover over my mouse to that specific bar.
Now, I also want to add one more field to display when I hover on a specific bar .
The chart command support aggregation by just two fields, so you'd have to try the workaround of concatenating two fields into one and use concatenated field in by clause.
search | eval "IP_address/OtherField"=IP_address.":".OtherField | chart count over host by "IP_address/OtherField"
The chart command support aggregation by just two fields, so you'd have to try the workaround of concatenating two fields into one and use concatenated field in by clause.
search | eval "IP_address/OtherField"=IP_address.":".OtherField | chart count over host by "IP_address/OtherField"