I would like to create a timeline chart panel that displays the distinct count of events based on some field and then groups the timeline based on a string datetime field. I think I have it but need to confirm this is the right and best way.
sourcetype="data.stats" | where message_type="Check" | convert timeformat="%Y-%m-%d" ctime(pdate) AS date | timechart dc(check_id) by date
I think it's right but not sure as it does resemble this panel which would be correct if the date field corresponded to the current datetime.
sourcetype="data.stats" | where message_type="Check" | timechart dc(check_id)
@jdepp - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.