I have a search along these lines
"duration: "
| rex field=host "(?P<host_type>[my_magic_regex])"
| rex "duration: (?P<duration_seconds>[0-9]+)"
| chart count by duration_seconds host_type limit=0 span=1.0
This is working exactly as expected. However, since I am doing count by ... for each host type, the histograms constructed for each host_type vary wildly. The lines have such a different scale that overlaying them on the same axis is worthless. I need to either 1. create a different chart for each host_type (and not worry about the actual value of count) 2. normalize the y axis so that instead of the literal count, the max peak for all histograms is 1 (or 100 or whatever) I think I'll need a foreach command somewhere, but not sure what's the best route forward. Maybe there's a command similar to count that I should be using instead.
... View more