index=_internal sourcetype=stream:stats host=* | spath Output=TcpSessionCount path=sniffer{}.processors{}.tcpSessionCount | fields - _raw | fields host TcpSessionCount | stats sum(TcpSessionCount) as TotalTcpSessionCount by host,_time | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(_time) AS Time | fields,host,Time,TotalTcpSessionCount | stats avg(TotalTcpSessionCount) by Time
XML:
<drilldown>
/app/HTTP_DDoS_Monitor/High_DDoS_SRC_IP?form.Time=$row.Time$
</drilldown>
I can transfer $row.Time$ to a form. If I want to use timechart avg(TotalTcpSessionCount) as TcpSessionCount by host the $row.Time$ can't be transferred to a form. Can I use the timechart command to transfer _time or Time fields to a form?
index=_internal sourcetype=stream:stats host=* | spath Output=TcpSessionCount path=sniffer{}.processors{}.tcpSessionCount | fields - _raw | fields host TcpSessionCount | stats sum(TcpSessionCount) as TotalTcpSessionCount by host,_time | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(_time) AS Time | fields,host,Time,TotalTcpSessionCount | **timechart avg(TotalTcpSessionCount) as TcpSessionCount by host**
