I am trying to get a simple count of events, instead i am getting the value of the first column as the count. Below is the simple search I am running.
index=main sourcetype=proxy_log | eval MB_out=round(((bytes_out/(1024*1024)))) | timechart count(MB_out)
There are only 3 events, so I am expecting the count to give me 3. instead it picks the last number in the first column which is 0.. eg below
_time count(MB_out)
2018-06-18 19:00:00 804
2018-06-18 19:30:00 837
2018-06-18 20:00:00 833
2018-06-18 20:30:00 839
2018-06-18 21:00:00 798
2018-06-18 21:30:00 848
2018-06-18 22:00:00 850
2018-06-18 22:30:00 819
2018-06-18 23:00:00 850
2018-06-18 23:30:00 819
2018-06-19 00:00:00 642
2018-06-19 00:30:00 345
2018-06-19 01:00:00 280
2018-06-19 01:30:00 270
2018-06-19 02:00:00 116
2018-06-19 02:30:00 4
2018-06-19 03:00:00 0
2018-06-19 03:30:00 0
2018-06-19 04:00:00 0
2018-06-19 04:30:00 0
Hi scc00,
at first, if you want to count events, you don't need to use eval command,
index=main sourcetype=proxy_log
| timechart count
If instead you want the sum of bytes you have to use eval command but in timechart you have to use sum function,
index=main sourcetype=proxy_log
| eval MB_out=round(bytes_out/1024/1024)
| timechart sum(MB_out)
Anyway, are you sure that you have events with bytes_out in the period when you have 0?
Bye.
Giuseppe
Yes i have done all of that. I still get the last value in the timechart count) series. This is why i opened this question..this shouldn't happen, it's a simple command.
Please elaborate, what do you mean by that there are 3 events? Which first column are you referring to?