sourcetype="SysEvents" OR sourcetype="Sysout" TransactionId=TI* AND TransactionId!=TI earliest=-d@d latest=@d
| timechart span=1h count
| eval Hour = strftime(_time, "%H")
| stats avg(count) as AverageCount by Hour
| join Hour
[sourcetype="SysEvents" OR sourcetype="Sysout" TransactionId=TI* AND TransactionId!=TI AND TransactionId!=OPF earliest=@d latest=@h
| timechart span=1h count
| eval Hour = strftime(_time, "%H")
| stats count as TodaysCount by Hour]
It seems to be working fine, but it doesn't show any results if one of the search period doesn't have any results.
No, this is what I am looking something like this and display this stats on time chart.
Hours AverageCount TodaysCount
00 4 0
01 0 3
02 5 2
.
.
.
.
.
.
24 0 0
Thanks.
Try append
with stats
. Also, I'm not sure how this is running without a search
command inside the subsearch.
sourcetype="SysEvents" OR sourcetype="Sysout" TransactionId=TI* AND TransactionId!=TI earliest=-d@d latest=@d
| timechart span=1h count
| eval Hour = strftime(_time, "%H")
| stats avg(count) as AverageCount by Hour
| append
[search sourcetype="SysEvents" OR sourcetype="Sysout" TransactionId=TI* AND TransactionId!=TI AND TransactionId!=OPF earliest=@d latest=@h
| timechart span=1h count
| eval Hour = strftime(_time, "%H")
| stats count as TodaysCount by Hour]
| stats min(AverageCount) as AverageCount, min(TodaysCount) as TodaysCount by Hour | fillnull value=0 AverageCount TodaysCount
You should checkout timewrap
. This will do exactly what you need. It should always be passed after timechart
command like this.. Make sure to set your timerange to something like the last 7 days so you can get 7 lines showing day over day
sourcetype="SysEvents" OR sourcetype="Sysout" TransactionId=TI* AND TransactionId!=TI earliest=-7d@d latest=@d
| timechart span=1h count
| timewrap 1d
Try append
with stats
. Also, I'm not sure how this is running without a search
command inside the subsearch.
sourcetype="SysEvents" OR sourcetype="Sysout" TransactionId=TI* AND TransactionId!=TI earliest=-d@d latest=@d
| timechart span=1h count
| eval Hour = strftime(_time, "%H")
| stats avg(count) as AverageCount by Hour
| append
[search sourcetype="SysEvents" OR sourcetype="Sysout" TransactionId=TI* AND TransactionId!=TI AND TransactionId!=OPF earliest=@d latest=@h
| timechart span=1h count
| eval Hour = strftime(_time, "%H")
| stats count as TodaysCount by Hour]
| stats min(AverageCount) as AverageCount, min(TodaysCount) as TodaysCount by Hour | fillnull value=0 AverageCount TodaysCount
I am sorry it did work, but it doesn't display anything if both the time ranges don't have any transactions.
This is a very expensive search, you should look into leaning it out
No, this is what I am looking for.
Hours AverageCount TodaysCount
00 4 0
01 0 3
02 5 2
.
.
.
.
.
.
24 0 0