I have data like mentioned below
28-11-01 10:30:13,127 digits=30
28-11-01 07:20:08,240 digits=50
28-11-01 05:01:18,101 digits=60
28-11-01 12:12:22,127 digits=120
09-12-01 12:12:22,127 digits=180
10-01-01 05:01:18,101 digits=500
i want to display the latest digit using a timeline chart. I have written a query like
| timechart latest(digits) as latestRecord and it's working fine, but when running this a couple of times in the span of the last 3 months, November months keep changing the output. Like one time, it's displaying 30 — another time 50, 60, 120 like that
if i run multiple times also, expected output:
I believe that your example output is wrong (should be
30); try this:
| makeresults | eval raw="28-11-01 10:30:13,127 digits=30:::28-11-01 07:20:08,240 digits=50:::28-11-01 05:01:18,101 digits=60:::28-11-01 12:12:22,127 digits=120:::09-12-01 12:12:22,127 digits=180:::10-01-01 05:01:18,101 digits=500" | makemv delim=":::" raw | mvexpand raw | rename raw AS _raw | rex "^(?<_time>.*?) digits=(?<digits>\d+)$" | eval _time = strptime(_time, "%d-%m-%y %H:%M:%S,%3n") | sort 0 - _time | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | bin _time span=1d | dedup _time
| timechart latest(digits) as latestRecord assigns a auto span to the time window (1d,1mon etc) based on your time selection.
Try setting a fixed span based on your requirement. For e.g. if you want the latest data per month , set as 1 mon or day as 1d
| timechart span=1mon latest(digits) as latestRecord
@james_n , that's ok. we just need to set the span. So if we set the
1mon as in the above example, the search will pick up the latest digit of that month regardless of what time range user selects. How you define latest ? Is it latest of the month or latest of all time (just 1 value) or latest of the day or latest of another parameter?
i would like to display latest digit in a entire month like above mentioned expected output from the mentioned data. i am writing query i.e, | timechart latest(digits) as latestRecord , if i mention span also like | timechart span=1mon latest(digits) as latestRecord , not working its keep changing.