I have a need to track 2 related events. An object gets tagged if it fails a check. If the failure does not get fixed in 5 days the object is removed. Would there be a way on a multiline chart to shift one of the lines by 5 days? I want to be able to easily look at the chart and see what the difference is between failing whether or not the object gets fixed.
The search is pretty basic. It is actually 2 searchs united with an appendcols both searches end with a "| timechart span=1d count(field)" This produces a 3 column statistics output with _time, failed and removed. which the visualization returns and nice graph but I need to look either 5 days forward or back to see the related event count. Something like this
index=test source=testsource tag=failed | timechart span=1d dc(itemid) | appendcols [ search index=test source=testsource tag=removed | timechart span=1d dc(itemid) ]
I was thinking if I could change the query to just return the numbers with out the _time column and then use latest=-5d I could then do the line chart using those values but I am having issues getting just the numbers
Not sure if this is what you're looking for, but you can shift _time of one of the search by adding that amount to all rows of that search, like this
index=test source=testsource tag=failed | timechart span=1d dc(itemid) as failed | eval _time=relative_time(_time,"+5d") | appendcols [ search index=test source=testsource tag=removed | timechart span=1d dc(itemid) as removed ]
Your requirement seems little complex so I believe more details/examples would help here.
The +5d does the trick.. it moves the lines to have the proper relationship. I have 2 items to fix for the graph to look correct. With the shift the 1st 5 days of the modified line is flat. The other issue is since I am playing with the date I think it would be better if I could hide the x-axis label and not show the date.