Hi everybody,
I have the following problem and cannot seem to be able to wrap my head around it:
Here is what I have so far. I believe I am always getting lost when using an aggregate function such as count() because added something to the result using eval just wont work.
index="my_index" eventtype=* host="$HOST_FROM_DROPDOWN$"
| lookup my-events eventtype
| eventstats count by eventtype
| where alert_threshold > 0 AND count > alert_threshold
| stats count by eventtype
| eval Threshold = alert_threshold
What I do understand is that I have to add the "Threshold" variable in the overlay Options of the chart.
Any help is much appreciated. Thank you
| stats count values(alert_threshold) as alert_threshold by eventtype
| stats count values(alert_threshold) as alert_threshold by eventtype
Thank you very much. I got it working as expected like this:
index="my_index" eventtype=* host="dropdown_value..."
| lookup my_lookup eventtype
| stats count values(alert_threshold) as alert_threshold by eventtype
| where alert_threshold > 0 AND count > alert_threshold
| sort count desc
Now the only thing left is that the threshold value is drawn as a dot in the chart. I'd like it to be a line going across the entire bar. Is that possible?
You will get a dot if there is only 1 point on the line e.g. only one event type breaches the threshold
Acknowledged. thanks