So I have a dashboard currently that runs 6 reports to build all of it's widgets. Basically 1 per widget. The issue is that the data each widget is summing over is huge. So instead of 6 large reports I'd prefer to have 1 huge report that each widget uses.
The issue I'm having is that the base report I want looks vaguely like this:
index=theIndex data_type=raw OR (data_type=error AND error_reason="Unknown*") | bin _time span=5m | stats count by _time,data_type,relay,alias
So simple enough really. Just going "gimme this data", dropping it into 5m bins, then give me a big table broken down by time, data_type, relay and alias. Great.
But when I want to make a time chart off of this report in a dashboard as a base search I run into some issues. When I tried the query in just plain search I threw in
| timechart span=5m count by data_type
in the dashboard search code. It just gave back the count of different relay and aliases per time period.
I know I need to grab the count value from the stats but I'm unsure of how to do it properly.
Thanks!
Hey. Thanks everyone. Both suggestions work. The issue I'm running into now is that the 15 minute report takes 30 minutes to run. So I have to sort that out now. Thanks for your help!
That's not the solution, then. I've edited my post to clarify that the span=5m
was still part of the first search. If you didn't do that, then please try it.
If that doesn't solve your speed issue, then your options are establishing a summary index, and accelerating the search. Either one of those should do the trick in this case.
@jbrierton - I know you said that both solutions work, but please click “Accept” below the best answer to resolve this post so that others can find it easily if they're having the same issue. Please also at least upvote the other answer too 🙂 Thanks.
Hi jbrierton,
can you please try it with 3 searches(One base search and 2 normal searches) ?
1st search (Base search):
<search id="mainBaseSearch>
<query>
index=theIndex data_type=raw OR (data_type=error AND error_reason="Unknown*") | table _time,data_type,relay,alias
</query>
</search>
2nd search
<search base="mainBaseSearch">
<query>
bin _time span=5m | stats count by _time,data_type,relay,alias
</query>
</search>
3rd search
<search base="mainBaseSearch">
<query>
timechart span=5m count by data_type
</query>
</search>
Thanks
Best practices are to always rename a count
field, because trying to refer to the prior count
in a later timechart
(for example) won't work, because to the later command, count
means to count
the new transactions.
Try something like this...
index=theIndex data_type=raw OR (data_type=error AND error_reason="Unknown*")
| bin _time span=5m
| stats count as eventcount by _time,data_type,relay,alias
| timechart span=5m sum(eventcount) as eventcount by data_type
edited to clarify that the span
= was still part of the first search