What is being counted in this query? Here it is:
| `tstats` count from datamodel=Authentication by _time span=10m | timechart minspan=10m count
The best I can figure out, it is counting from the datamodel named "Authentication" by the field "_time" in 10 minute increments. However, that doesn't really explain what is being counted. It doesn't specify a field other than _time. And the search would be kind of useless if it only counted in 10 minute intervals with nothing else. Does anyone have any ideas as to what this search is doing?
If it helps, the search was dubbed "Access - Access Over Time"
If not field name is passed ( just count
is used and not count(field)
), it's counting the number of records from the data source.
The by _time span=10m
is causing _time field to be bucket with 10 min section , e.g. 10/14/2016 00:00, 10/14/2016 00:10, 10/14/2016 00:20...., and then count (of result which falls under that _time bucket) is done for each bucket value of _time.
The output would be like this
10 min bucketed _time value --- count of events from datamodel=Authentication which have _time within range of bucketed _time
_time-----count
10/14/2016 00:00 ---- xxx
10/14/2016 00:10----yyyy
10/14/2016 00:20 --- zzzz
If not field name is passed ( just count
is used and not count(field)
), it's counting the number of records from the data source.
The by _time span=10m
is causing _time field to be bucket with 10 min section , e.g. 10/14/2016 00:00, 10/14/2016 00:10, 10/14/2016 00:20...., and then count (of result which falls under that _time bucket) is done for each bucket value of _time.
The output would be like this
10 min bucketed _time value --- count of events from datamodel=Authentication which have _time within range of bucketed _time
_time-----count
10/14/2016 00:00 ---- xxx
10/14/2016 00:10----yyyy
10/14/2016 00:20 --- zzzz
That helps, thank you!
So just for clarification, the timechart part at the end is just formatting the data into a timechart right?
Yes, timechart creates a chart/table like this one -
_time----------------------count
10/14/2016 00:00 ---- xxx
10/14/2016 00:10----yyyy
10/14/2016 00:20 --- zzzz
That is correct...