Hi Team,
I have a scheduled search which generates a lookup file similar to below
Whenever i run stats command on this data it runs perfectly fine. But whenever i try to run timechart command it doesnt work, like below
search ...| timechart count by image_name
search ... | timechart count(image_name)
or any permutation i try with i get either zero or null but not the actuall count or aggregate function. Basically i am looking to use span/bin on this data but i am unable to do that so thought of using timechart command.
I have properly formatted the time to _time by converting into epoch time and then into %c standard format.
I am not sure why timechart is not working on the lookup/csv file data.
Hi @ashish9433 ,
Can you please try this?
YOUR_SEARCH | eval _time=strptime(_time,"%m/%d/%Y")| timechart count by image_name
Thanks
I already did this, the problem is the result is shown as list of all image_name as columns and date as rows with all zero in all the row of all the cloumns and thus the issue!
Hi ashish9433,
what's your need?
do you want to count values or only display them?
if you want to count events or sum values you could use chart command
my_search
| chart count over _time BY image_name
If instead you want only to display values, you could use table command
my_search
| table _time image_name os_name
Bye.
Giuseppe
I want to group by span=15d and have a visualization and also use a single value with trend indicator option.
I tried span, bin and timechart none of them is working on lookup data.
Hey
Please try this option:
| inputlookup csv_timechart.csv
| eval _time=strptime(_time,"%m/%d/%Y")
| timechart count by image_name
I already did this, the problem is the result is shown as list of all image_name as columns and date as rows with all zero in all the row of all the cloumns and thus the issue!
I just copied your entire lookup in the image and tried this myself by creating a .csv.
I don't have zeros in all rows and so it seems that your csv is not well formatted. Can you try what I just did?
Create a csv in a plaintext file:
_time,image_name,os_name
10/01/2018, azure1, CentOS7
10/02/2018, azure1, CentOS7
15/02/2018, azure1, CentOS7
20/02/2018, azure3, CentOS7
10/03/2018, azure3, CentOS7
11/03/2018, azure2, CentOS7
12/03/2018, azure2, CentOS7
Save it like this and to csv_timechart.csv, put it in the lookup folder of the app you are using, and run the command I told you.
Feed us back please
Can you provide query you are using for converting?