Time Window feature Override with event time field...

liondancer · ‎06-05-2018

I have events that arrive present time but have time fields of something similar to

index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=100

The event arrived at 2018-06-05 but has time field values of year=2018 month=04 day=01 hour=01
I want to be able to manipulate my time window feature for all events with the same month, day, hour, and year fields

Use case:

index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=100
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=120
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=02 event_count=10
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=02 event_count=200

For the example events above arrived on 2018-06-01, I want to be able to use my Time Window feature and pick a DateRange in between 2018-04-01 AND 2018-04-02 and the sample events ABOVE will be returned. How can I do so?

I want to make a chart where the X axis is the time fields and the Y axis is the sum() of all the event_count bounded by the Time Window feature against the event time fields.

       X        |    Y
2018-04-01-01       220 
2018-04-01-02       210

Time Window feature Override with event time fields

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?