Hi team,
with below query, I can't get expected result with the bins splitted by every 2 hour which I specified by "| bin span=2h TIME"
index=*bizx_application AND sourcetype=perf_log_bizx AND AutoSaveForm OR SaveFormV2 OR SaveForm
| eval TIME=strftime(_time,"%Y-%m-%d %H:%M:%S")
| bin span=2h TIME
| stats count by TIME SFDC
The result I got from above query is below table. As you see, the TIME column, it's not splitted by 2 hour. What's wrong here?
So the original problem has been solved. Please mark the solution as solving the issue so that others looking for the same issue can find it. As for the reversing the order of time, you already have another question to cover that, so I will post suggestions there.
Use _time instead of time for your bin and stats. If you want the time displayed in a particular format, use fieldformat
index=*bizx_application AND sourcetype=perf_log_bizx AND AutoSaveForm OR SaveFormV2 OR SaveForm
| fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")
| bin span=2h _time
| stats count by _time SFDC
Hi @ITWhisperer ,
It works by using _time, but I have another requirement that I want to display the time order in chart descendly, by reverse command , which means latest time and corresponding count are put in left, instead of right.
So with below query, the reverse command doesn't reverse _time actually. That why I didn't use _time at first. Any idea?
index=*bizx_application AND sourcetype=perf_log_bizx AND AutoSaveForm OR SaveFormV2 OR SaveForm
| fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")
| bin span=2h _time
| stats count by _time SFDC
| chart values(count) by _time SFDC
| reverse
So the original problem has been solved. Please mark the solution as solving the issue so that others looking for the same issue can find it. As for the reversing the order of time, you already have another question to cover that, so I will post suggestions there.