Hello. I would like to know if there is any speicific - convenient - way to perform stats count by various date.
Using |metadata type=hosts |fields host totalCount, I get something like this
host totalCount A 5 B 27 C 48 D 95
I would like to perform stats count by name over a period of time by date
but the problem is that the log does not come with the timestamp.
As a result, I've been manually performing
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-2d@d latest -d@d
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-3d@d latest -2@d
|metadata type=hosts |fields host totalCount| stats count by Name Set the timestamp to earliest=-4d@d latest -3@d
... ... ...
and so on.
Is this the only way or is there any easier way to run the query to collect all the counts for date to get something like this;
host 12/04/14 12/05/14 12/06/14 ... A 5 10 ... B 27 12 ... C 48 40 ... D 95 25 ...
Thanks in advance!
The metadata command doesn't contains the time field for when the report was generated. Try this workaround:-
| metasearch index=* | eval Date=strftime(_time,"%Y-%m-%d") | chart count over host by Date
The chart it is generating is exactly what I want but the problem is that it is giving the wrong count.
Moreover, after 2 days count (as of Today, 2014-12-10, 2014-12-11), all I'm getting is 0 for the count which isn't true.