I have a scheduled search which generates a lookup file similar to below
Whenever i run stats command on this data it runs perfectly fine. But whenever i try to run timechart command it doesnt work, like below
search ...| timechart count by image_name
search ... | timechart count(image_name)
or any permutation i try with i get either zero or null but not the actuall count or aggregate function. Basically i am looking to use span/bin on this data but i am unable to do that so thought of using timechart command.
I have properly formatted the time to _time by converting into epoch time and then into %c standard format.
I am not sure why timechart is not working on the lookup/csv file data.
what's your need?
do you want to count values or only display them?
if you want to count events or sum values you could use chart command
my_search | chart count over _time BY image_name
If instead you want only to display values, you could use table command
my_search | table _time image_name os_name
I just copied your entire lookup in the image and tried this myself by creating a .csv.
I don't have zeros in all rows and so it seems that your csv is not well formatted. Can you try what I just did?
Create a csv in a plaintext file:
_time,image_name,os_name 10/01/2018, azure1, CentOS7 10/02/2018, azure1, CentOS7 15/02/2018, azure1, CentOS7 20/02/2018, azure3, CentOS7 10/03/2018, azure3, CentOS7 11/03/2018, azure2, CentOS7 12/03/2018, azure2, CentOS7
Save it like this and to csv_timechart.csv, put it in the lookup folder of the app you are using, and run the command I told you.
Feed us back please