sourcetype=your_sourcetype earliest=-7d@d | timechart count by status
This search will give the last week's daily status counts in different colors. You'll likely have 200 off the chart so it may be worth making the 200 an overlay. Go to Format > Chart Overlay and select 200, then view it as it's own axis in order to let the other codes actually be seen. I also stacked the values so they're easier to see too.
Hi, what can I do if I wanted to group all the 400 in the same color?
Thanks,
This question is over two years old with an accepted answer. If you have a similar problem, please post a new question.
sourcetype=your_sourcetype earliest=-7d@d | timechart count by status
This search will give the last week's daily status counts in different colors. You'll likely have 200 off the chart so it may be worth making the 200 an overlay. Go to Format > Chart Overlay and select 200, then view it as it's own axis in order to let the other codes actually be seen. I also stacked the values so they're easier to see too.
Thank you, i was trying like below, can you please check the below query, how to get the results using bin and span command with chart,
index="nbcutelemundo" | bin span=1s _time | stats count(status) as status_count by _time,status | chart status_count by _time,status span=1d
sourcetype=access_combined status=* | bucket _time span=1d | chart count by _time, status
Once again, I overlaid the 200's so that you can actually see the other values.
thank you so much!