How to plot running sums? Eg given events with fields "time host errors", I'd like to do
but timechart doesn't have accum, and accum doesn't have "by".
The below gets close:
but RunningSum sometimes decreases (which I don't understand or want), and there are definitely less than 10000 events so I don't think window size is the reason.
This is somewhat tricky to do. Basically we first discretize time, like timechart does, so that we can calculate statistics per time bin. Then we count the errors in each time bin using stats. Next we use streamstats to achieve the accumulation. Last we use timechart to put it all together. A search like this should work:
... | bin _time | stats count as errors by _time host | streamstats sum(errors) as errors by series | timechart max(errors) by series
The | bin _time | stats count
didn't work for me. Instead I substituted it with another | timechart sum()
and it worked fine.