Is there a way, that anyone is aware of, to timechart off of a field sumarry. I can break down the fieldsummary by timecharting first, I just end up with repeated field names with what looks like hashes appended to them, which is weird. I am trying to detrmine all the NULL fields and present them in a timecharted graph by day. Currently, without the timechart portion, this is what I have.
...| fieldsummary
| search values=*Unknown*
| rex field=values \"Unknown\"\\S\"count\":(?<null_count>\\d+)},
|eval percent_null=(null_count/count)*100
|eval Percent1=100-percent_null
|fields field Percent1 null_count
| gentimes start=-30 increment=1h
| rename starttime as _time
| fields _time
| eval fielda="a".mvindex(split("ABC",""),random()%4)
| eval fieldb="b".mvindex(split("ABC",""),random()%4)
| eval fieldc="c".mvindex(split("ABC",""),random()%4)
| eval fieldd="d".mvindex(split("ABC",""),random()%4)
| eval fielde="e".mvindex(split("ABC",""),random()%4)
| eval fieldf="f".mvindex(split("ABC",""),random()%4)
| foreach *
[| eval null_<<FIELD>>=if(isnull(<<FIELD>>),1,null)]
| timechart span=1d sum(null_*) as null_*
The timechart command requires the _time field, which fieldsummary does not supply.
The _time can be used prior to the field summary command being run, I just get crazy outputs. If there is a better way to do what I am trying to do, that would work too. I am just not quite sure how to get it to work right.
Is there another way to do what? Please describe your desired output. What do you mean by "crazy outputs"? What problem are you trying to solve?
I am trying to trend NULL values over time. There are 12 fields in total. I am attempting to get it to trend by day where it shows the fields that are NULL with and the counts for those fields, in addition to a percentage of ones that were not NULL. I can provide the output I get on Monday but I think it might be better to take a step back and see if anyone has an idea for a better way to do this.
| gentimes start=-30 increment=1h
| rename starttime as _time
| fields _time
| eval fielda="a".mvindex(split("ABC",""),random()%4)
| eval fieldb="b".mvindex(split("ABC",""),random()%4)
| eval fieldc="c".mvindex(split("ABC",""),random()%4)
| eval fieldd="d".mvindex(split("ABC",""),random()%4)
| eval fielde="e".mvindex(split("ABC",""),random()%4)
| eval fieldf="f".mvindex(split("ABC",""),random()%4)
| foreach *
[| eval null_<<FIELD>>=if(isnull(<<FIELD>>),1,null)]
| timechart span=1d sum(null_*) as null_*
Thank you. This is a very nice solution.