Try this: index=xyz Feature IN (Create, Update, Search, Health)
| timechart span=1m count as TotalHits, perc90(Elapsed) by Feature
| appendpipe
[stats max("Total Hits: *") as *
| eval _ti...
See more...
Try this: index=xyz Feature IN (Create, Update, Search, Health)
| timechart span=1m count as TotalHits, perc90(Elapsed) by Feature
| appendpipe
[stats max("Total Hits: *") as *
| eval _time = "Total Hits"]
| fields - "Total Hits: *"
| appendpipe
[stats max("perc90(Elapsed): *") as *
| eval _time = "perc90(Elapsed)"]
| fields - "perc90*"
| tail 2
| transpose header_field=_time column_name=Feature
| where Feature != "_span" Two additional pointers: Do not use a second search line if Feature is already available in indexed data. Do not use a separate command for time bucket if you are going to use timechart. This is my emulation: index=_internal
| rename date_second as Elapsed, log_level as Feature
| eval Feature = case(Feature == "INFO", "Create", Feature == "WARN", "Health", Feature == "ERROR", "Search", true(), "Update")
``` the above emulates
index=xyz Feature IN (Create, Update, Search, Health)
``` With this, the result is Feature perc90(Elapsed) Total Hits Create 59.000000000000000 1283 Health 48.700000000000000 191 Search 59 212 Update 52.000000000000000 551