hi,
index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend | stats latest(count) as Count latest(trend) as trend | eval alert=if(trend > Count, "yes", "no")
i have the above query which has three fields count , trend and alert
But i am not able to get the values for the three fields for the last 7 days i.e i want the values for the three fields to displayed along with date for last 7 days
Thanks in advance
Thank you.
One more thing, we have the following query
index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend |stats latest(count) as count latest(trend) as trend | eval alert=if(trend > count, "yes", "no")
But in this query the timechart is not working , we are not getting the _time field.
Thanks in advance
Try this. Since you are using sma2
for your trendline, you will not see trend
for the latest event.
index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend | eval alert=if(trend > Count, "yes", "no")