Hey guys,
I am trying to create a custom search which the question directly states. How would I go about doing that? I tried running this :
sourcetype=doccloud_catalina FolderLoggingAction "new OOID Folder"|top limit=5 host | timechart span=1d count
Which is saying to look at that specific sourcetype, with the FolderLogging Action and looking for any new creations of OOID folder for the 5 most active hosts and filter it into a chart which displays it weekly. Can anyone guide me in the right direction?
Thanks for your help
I think this is what you are looking for?
sourcetype=doccloud_catalina FolderLoggingAction "new OOID Folder"
| timechart span=7d limit=5 count by host
Thanks for your anwser !!! Only one thing though, it is only displaying for one host and I noticed there are two hosts that are active. Do you know how to go about displaying both hosts in the chart?
Make sure that your initial search is including both hosts.
For example, run the search
sourcetype=doccloud_catalina FolderLoggingAction "new OOID Folder"
And go to the hosts field to make sure there are two hosts. If there are, timechart
should create a new line for each host in that time range. If you still don't see the second host, make sure that the values are not zero. Are they coming up in the legend for the timechart?
I switched the visualization view and both hosts are coming up on different graphs/charts but for some reason on a pie chart it only displays one host?
Hmm. At that point, screenshots will. I'm not sure without seeing what you are talking about.
I think this is what you are looking for?
sourcetype=doccloud_catalina FolderLoggingAction "new OOID Folder"
| timechart span=7d limit=5 count by host