Hi,
You can optimize your search in some ways:
index="outside" sourcetype="squid" x_wbrs_score<-3.5 x_wbrs_score>-5.9 earliest = -1h@h latest=@h | eval cs_mime_type=lower(cs_mime_type)| search cs_mime_type=java OR cs_mime_type=json | timechart count by cs_user_agent
earliest=-1h@h latest=@h
This makes sure you only get exactly one hour of data
timechart count by cs_user_agent
Shows the count of requests by User agent
I've also moved the x_wbrs_score filter to the beginning of your search, I'm not really sure if this will work. But in general it's better to filter out the not needed data. That your search should be a bit faster.
The visualization is something you'll have to configure in the dashboard. Also the refreshing is something that should be done in the dashboard.
I've also assumed that the field that has the user agent is cs_user_agent.
You'll have to modify it if needed.
... View more