I have a search: (index=.... sourcetype=....| stats count(transaction) as "Transaction")
How ever when I use this search for ITSI my result in KPIs is:
Anyone know why and how to fix this
Thank you for your help.
Hi!
You should not use stats in a KPI search, in most cases that will never be needed. Reasons are:
1. ITSI itself is doing the "stats" for you.
2. stats if done wrong removes _time which might be the problem in you case.
I would suggest changing your KPI search to something like:
index=my_index sourcetype=my_type transaction=*
| eval has_transaction=1
Now you can extract 2 KPIs depending on you use case, either sum of has_transaction (Number of logged transactions in past X min) or do a dc by transaction (Number of unique transaction in the past X min)
/Seb