Hi,
I try to make a column chart using this search:
index=webtrafic
| rename ProcessName AS RootObject.ProcessName timestamp AS RootObject.timestamp
| fields "_time" "sourcetype" "RootObject.ProcessName" "RootObject.timestamp"
| stats dedup_splitvals=t count(RootObject.timestamp) AS "Count of timestamp" by RootObject.ProcessName
| sort limit=5 RootObject.ProcessName
| fields - _span
| rename RootObject.ProcessName AS ProcessName
| fillnull "Count of timestamp"
| fields ProcessName, "Count of timestamp"
And i get this:
My question is: How can i sort columns so i can see top 5/10 highest values?
Thank you,
Bogdan
Hi marycordova,
If i use this command, i get this error:
Error in 'chart' command: The specifier 'Count of timestamp' is invalid. It must be in form (). For example: max(size).
The search job has failed due to an error. You may be able view the job in the Job Inspector.
if, however, i use this command:
(index=* OR index=_*) (index=webtrafic)
| rename ProcessName AS RootObject.ProcessName timestamp AS RootObject.timestamp
| fields "_time" "sourcetype" "RootObject.ProcessName" "RootObject.timestamp"
| stats dedup_splitvals=t count(RootObject.timestamp) AS "Count of timestamp" by RootObject.ProcessName
| sort limit=100000 RootObject.ProcessName
| fields - _span
| rename RootObject.ProcessName AS ProcessName
| fillnull "Count of timestamp"
| fields ProcessName, "Count of timestamp"
| sort -"Count of timestamp"
I get this:
Thank you.
Bogdan
