I have below query and it should gives result of time filter of last four hours (or) last 24 hours.
|makeresults |bucket _time span=1h|stats count by _time
But it giving only latest hour instead of 4 records for last four hours filter (or) 24 records for last 24 hours filter.
Kindly help us.
makeresults
by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults
to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.
Please describe the problem you are trying to solve and we may be able to suggest a solution.
I need the time slicing here like
I want to see four event for span=1h in the last four hours filter .
Something like below
| bin _time span=1h | fields _time
result should be
_time
2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00
I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing
| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id
Kindly help us.
makeresults
by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults
to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.
Please describe the problem you are trying to solve and we may be able to suggest a solution.
Can you please let us know how to handle the above query getting each event with respect to span limit
The current query does nothing. Please describe the real problem you are trying to solve.
I need the time slicing here like
I want to see four event for span=1h in the last four hours filter .
Something like below
| bin _time span=1h | fields _time
result should be
2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00
I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing
| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id
Kindly help us.
The timechart
command will fill in missing time frames. Try
index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor"
| spath output=osm_zone_id path=dimensions{2}.value
| dedup osm_zone_id | fields _time osm_zone_id
| timechart span=1h values(osm_zone_id) as osm_zone_id
| table _time, osm_zone_id