Hi all.
I have a search like this:
index=log sourcetype=data TYPE="PLATFORM" | timechart span=1d count by AREA limit=100 | addtotals
Now, I must replicate with a search like this:
index=log sourcetype=data TYPE="PLATFORM" | eventstats sum(QP) AS QTOTAL by AREA | timechart span=1d count(QP) by AREA limit=100 | addtotals
but this has been unsuccessful. QP is a number field. I need to show day by day the total by AREA.
Suggestions?
Thanks!
Have you just tried:
index=log sourcetype=data TYPE="PLATFORM" | timechart span=1d sum(QP) AS QTOTAL by AREA limit=100 | addtotals
?
Would this work?
index=log sourcetype=data TYPE="PLATFORM" | timechart span=1d count(QP) sum(QP) AS Total by AREA limit=100
Have you just tried:
index=log sourcetype=data TYPE="PLATFORM" | timechart span=1d sum(QP) AS QTOTAL by AREA limit=100 | addtotals
?
Works perfect! Thanks! Do you can answer the question with your comment?
Thanks!
index=log sourcetype=data TYPE="PLATFORM" |bucket _time span=1d | chart sum(QP) AS QTOTAL by _time AREA | addtotals
does this get you what you need?
Please clarify which total value you need to show per day in the second query. Do you need the daily total of QTOTAL per day? Sharing some of the actual data may help.
Hi, thanks. Yes, i need the daily total of QTOTAL.
OK, I am still a little confused. Do you need both the QTOTAL per day by AREA and the count of QP events per day by AREA, or just the former?
Hi. I need only QTOTAL per day.
Then you want the comment below from @ktugwell
Let me check...