Hi,
I have this search:
host="myhost.com" NOT source=*access_log* AND "SearchA" | timechart span=1d dc(App) as NotAssigned
| eval NotAssigned=NotAssigned+0 | appendcols [search SearchB
| timechart span=1d sum(Count) as Assigned ]
| eval Time=strftime(_time, "%d-%m") |table Time, Assigned, NotAssigned
This seems to work ok, but sometimes one of those variables is shown with no time for some events, and I don't know why.
This is the case:
When I made the searches individually, this was displayed correctly. But in some moments, it looks like there are some _time values missing.
Like in the attached image, today is 26-08, but the table is showing until 25-08, and one of the variables was displaced a couple of days.
Do you know how to fix it? ...
Try something like this
host="myhost.com" NOT source=*access_log* AND "SearchA" | timechart span=1d dc(App) as NotAssigned
| eval NotAssigned=NotAssigned+0 | append [search SearchB
| timechart span=1d sum(Count) as Assigned ] | stats values(*) as * by _time
| eval Time=strftime(_time, "%d-%m") |table Time, Assigned, NotAssigned
Try something like this
host="myhost.com" NOT source=*access_log* AND "SearchA" | timechart span=1d dc(App) as NotAssigned
| eval NotAssigned=NotAssigned+0 | append [search SearchB
| timechart span=1d sum(Count) as Assigned ] | stats values(*) as * by _time
| eval Time=strftime(_time, "%d-%m") |table Time, Assigned, NotAssigned
Hey somesoni2... You were right, I updated the query and I missed to change appendcols to appen ...
Seems to be ok now... Thanks a lot!
Tried, but didn't work
.. Why is this happening?
It is due to appendcols as there could be different dates available for both the queries. Could you please tell what went wrong with the query I suggested?