Trying improvize. When I try the following with last 30 days in the search I run into problems:
SourceName="sname" Message="**" | bucket span=1d _time | convert timeformat="%e %b" ctime(_time) AS c_time | chart count over SourceName by c_time useother=f
1. I get the results truncated. It shows only few dates. But when i reduce it to 7 days it works properly. Am I missing basic stuff.
2. Is there a way to count over combined columns? like count over(sourcename, Message)?
3. I want to Append multiple sourcename and message and have it piped into one search where I want to see the below results day-wise:
ExceptionName Day1 day2 day3
Exception1 10 100 200
Exception2 0 200 300
Total 10 300 500
Thank you in advance
... View more