I have a search w/ a stats function that illustrates multiple individual errors. Once that search completes, I would like to see a 7 day the timechart for each individual error. Sometimes the report could generate 1 timechart in the PDF, or sometimes multiple errors in the pdf. Depending on what comes out of the stats.
This is the concept:
... | stats count by testERROR | where count > 10 | map timechart count by testERROR
create pdf and email with timecharts
... [search ... | stats count by testERROR | where count > 10 | fields testERROR] | timechart count by testERROR
no map ? This looks like its just running a subsearch for the same thing.
I was hoping to take the output from a search and map it to individual searches w/ timecharts.
If you prefer individual timecharts, then use
map like this:
... | stats count by testERROR | where count > 10 | map search="search testError=$testERROR$ | timechart count"
map [search index=test earliest=-2d testERROR =$testERROR $ | timechart fixedrange=F count by testERROR ]
Any idea how to make the Y axis less jumbled?
looks like its overwriting w/ each map loop