Hello,
I am trying to show the last 5 minute count with a larger time period spark chart.
index="iis"
|stats sparkline count by host
|append [search index="iis" earliest=-5m latest=now
|stats count by host as "last_5"]
|rename host as "Web Server"
|rename sparkline as "Count Over Time"
|rename "last_5" as "Count Last 5 Minutes"
|table "Web Server", "Count Over Time", "Count Last 5 Minutes"
The last column is blank but the subsearch returns the expected data.
Give this a try
index="iis"
| eval last5m=if(_time>=relative_time(now(),"-5m"),1,0)
|stats sparkline as "Count Over Time" sum(last5m) as "Count Last 5 Minutes" by host
|rename host as "Web Server"
|table "Web Server", "Count Over Time", "Count Last 5 Minutes"
Give this a try
index="iis"
| eval last5m=if(_time>=relative_time(now(),"-5m"),1,0)
|stats sparkline as "Count Over Time" sum(last5m) as "Count Last 5 Minutes" by host
|rename host as "Web Server"
|table "Web Server", "Count Over Time", "Count Last 5 Minutes"
Worked great, thank you!