Hello,
I have difficulties with creating a comparison chart for the next data structure:
search Count Date
_________________________________________
check1 5 07/5/2019
check2 3 07/5/2019
check3 6 07/5/2019
check1 7 07/6/2019
check2 12 07/6/2019
check3 2 07/6/2019
This is an example for the structure. There can be more dates.
What i am trying to achieve is a line chart by search, that every line will represent a search and there will be a time line by the date value.
To be clearer, the X axis will be the date, and the y axis will be the count.
Can anyone assist me with this ?
The data is coming from a lookup file.
try this anywhere:
| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| timechart span=1d max(COUNT) as max_count by search
work with the formula
hope it helps
try this anywhere:
| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| timechart span=1d max(COUNT) as max_count by search
work with the formula
hope it helps
Your solution is a bit problematic, because the number of searches is changing.
how come? the split with by
clause will take as many searches under that field
I don't see split with by.
But maybe you can help me with another idea i had.
Instead of this, i want to calculate the difference between the two most recent searches by search.
So if i had another date of 7/7/2019 it would calculate the difference between every count value of every search between the 7/7/2019 and the 7/6/2019
try this:
| makeresults count=1
| eval data = "check1,5,07/5/2019;;;check2,3,07/5/2019;;;check3,6,07/5/2019;;;check1,7,07/6/2019;;;check2,12,07/6/2019;;;check3,2,07/6/2019;;;check1,15,07/7/2019;;;check2,13,07/7/2019;;;check3,26,07/7/2019;;;check1,17,07/8/2019;;;check2,22,07/8/2019;;;check3,9,07/8/2019"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<search>[^\,]+)\,(?<COUNT>\d+)\,(?<Date>.+)"
| eval _time = strptime(Date, "%m/%d/%Y")
| rename COMMENT as "the above generates data below is the solution"
| streamstats current=f global=false window=2 last(COUNT) as previous_count by search
| eval delta = COUNT - previous_count
Thanks for your help,
I understand now what you have tried to do in the first solution.
It doesn't work for some reason.
The second solution worked fine, but i need only the last date rows (max date). I will try to solve it, but if you know how to do it, that will be great.
I added this to the second solution eventually -
| eventstats max(date) as date
| where date = maxdate