I have the following problem and cannot seem to be able to wrap my head around it:
Here is what I have so far. I believe I am always getting lost when using an aggregate function such as count() because added something to the result using eval just wont work.
index="my_index" eventtype=* host="$HOST_FROM_DROPDOWN$" | lookup my-events eventtype | eventstats count by eventtype | where alert_threshold > 0 AND count > alert_threshold | stats count by eventtype | eval Threshold = alert_threshold
What I do understand is that I have to add the "Threshold" variable in the overlay Options of the chart.
Any help is much appreciated. Thank you
Thank you very much. I got it working as expected like this:
index="my_index" eventtype=* host="dropdown_value..." | lookup my_lookup eventtype | stats count values(alert_threshold) as alert_threshold by eventtype | where alert_threshold > 0 AND count > alert_threshold | sort count desc
Now the only thing left is that the threshold value is drawn as a dot in the chart. I'd like it to be a line going across the entire bar. Is that possible?