I am trying to display a line chart on a dashboard which shows activity of a service by time of day. I need to show this over several months to determine what time of day is busiest.
This would be easy, would it not be for a need to eliminate the service calls made by a monitor. These are made once every ten minutes and need to be left out of the results.
I'm using message_id for the count, since I want the call and response (2 separate log entries) to count only once. My issue is that my results are not correct, it seems as if they are being truncated or if my math is somehow off.
The search I'm using is below and any help is much appreciated.
index="platform_osb" sourcetype="OSB" SingleSignOn SVC_ACCT earliest=10/08/2013:0:0:0 latest=@d
| rex field=_raw "message-id:\s+(?P [^,]+)"
| eval searchStartTime=strptime("10/08/2013", "%m/%d/%Y")
| eval reductionFigure=(floor((now()-searchStartTime)/60/60/24)-1)*6
| stats count(message_id) as Count1 By date_hour reductionFigure
| eval Count=Count1-reductionFigure
| table date_hour Count1 Count | fields - Count1
... View more