Here is the sample data.
RED: 2086
GREEN: 1579
WHITE: 159
PINK: 348
ORANGE: 0
This should do it:
... | rex max_match=0 field=raw "(?<lineData>[^:]+:\s*\d+)" | mvexpand lineData | rex field=lineData "(?<color>[^:]+):\s*(?<count>\d+)" | timechart span=1h sum(count) AS count BY color
This makes your X-axis interval 1 hour
.
This should do it:
... | rex max_match=0 field=raw "(?<lineData>[^:]+:\s*\d+)" | mvexpand lineData | rex field=lineData "(?<color>[^:]+):\s*(?<count>\d+)" | timechart span=1h sum(count) AS count BY color
This makes your X-axis interval 1 hour
.
No. this query just displaying the events but not the visualization, all these events come through a custom shell script which we made output as "sourcetype = weblogic_stdout" not sure, if that matters here.
After further cleanup of y event.. this worked perfectly. Thanks Woodcock.
After you run the search, in the UI click on the Visualization
tab and create what ever visualization you need.....
I know, but this query was not representing any timechart to visualize.
You are going to have to replace ...
with your base search. I tested this on your sample data: it works just fine.
... | rex max_match=0 field=_raw "(?[^:]+:\s*\d+)" | mvexpand lineData | rex field=_raw "(?[^:]+):\s*(?\d+)" | timechart span=1h sum(count) AS count BY color
with this query I am able to see only "RED", but I want to see other lines (GREEN, WHITE...) to be charted.
Is this 1 event or 5?
This was one event.
does your event have a timestamp? Do all the events contain all those fields? Just those fields? more? Less?
Yes, I do have time stamp and all the events will have all these fields with different values.