I have the follow query
index=index |spath output=traceSteps path=traceSteps{}
|table traceSteps
|mvexpand traceSteps
|rex field=traceSteps "(message\"\:\"(?<mensagem>(?<=\")(.*?)(?=\")))"
|where mensagem LIKE "CPF%"
|stats count
when i change "|stats count" by "|timechart span=1d count" to show by date i have "no results found"
Why? What do i make wrong?
The timechart command requires the _time field, but it was stripped out of the results by the table command. Either remove the table command or add the _time field to it.
index=index |spath output=traceSteps path=traceSteps{}
|table _time traceSteps
|mvexpand traceSteps
|rex field=traceSteps "(message\"\:\"(?<mensagem>(?<=\")(.*?)(?=\")))"
|where mensagem LIKE "CPF%"
|timechart span=1d count
The timechart command requires the _time field, but it was stripped out of the results by the table command. Either remove the table command or add the _time field to it.
index=index |spath output=traceSteps path=traceSteps{}
|table _time traceSteps
|mvexpand traceSteps
|rex field=traceSteps "(message\"\:\"(?<mensagem>(?<=\")(.*?)(?=\")))"
|where mensagem LIKE "CPF%"
|timechart span=1d count
@richgalloway thanks. it was work.