I am trying to do a time chart that would show 1 day counts over 30 days comparing the total amount of events to how many events had blocked or allowed associated. The action field is in text and not in integers. It seems like time chart does not like taking a reoccurring count out of a text field broken down by day. I had tried converting the action field into a num by
| convert num(action) but I am still getting an error of action being invalid.
| eval action=case(action="blocked","Blocked",action="notified","Allowed") | timechart span=1d count by sourcetype,action
The problem is that you can't split by more than two fields with a chart command.
timechart already assigns _time to one dimension, so you can only add one other with the by clause.
You could do something like this:
... | eval action=case(action="blocked","Blocked",action="notified","Allowed") | bin span=1d _time | stats count by _time sourcetype action
(which halfway does explicitly what timechart does under the hood for you) and see if that is what you want. I suggest you read up on sideviews answer here for some more detail.
My sourcetype has a field called action that can be either blocked or notified. In a timechart fashion I want to show the amount of blocked notified and total events associated with my sourcetype. I tried the code you gave me and there are a couple different things that happened. Only the total count of events was produced, the eval function dident occur and the chart is still showing action, and the chart is not a true way to look at trend lines because it does not account for days that have no events. It will only chart days that have events.
@jeffland is correct in why yours will not work. You can also try this:
... | eval sourcetype_action = sourcetype . "::" . case(action="blocked","Blocked",action="notified","Allowed") | timechart span=1d count BY sourcetype_action
Tried this and it seems like its doing what I need it do. However its showing me blocked or allowed action during a day where there was no activity according to Null. The null field is the sourcetype I believe .
I renamed sourcetype to account for null. I ran a search against my sourcetype and saw I had 4 events on November 4th but no spikes for the sourcetype and 4 allowed events. It seems that only one spike in one of the eval's per day is allowed through this method.
... | eval sourcetype_action = sourcetype . "::" . case(action="blocked","Blocked",action="notified","Allowed", true(), "N/A") | timechart span=1d count BY sourcetype_action