This has been giving me headaches for a long time now, and it's pretty simple. So, for reference, this search works as intended.
sourcetype="pan_threat" (severity="high" OR "critical") | timechart count, first(threshold) as "Maximum Threshold" by date | eval threshold=200
It charts the amount of hits over time, with the threshold of "200" also charted as its own line (as seen in the replicated graph below).
_time count threshold
1 2:00 17 200
2 2:30 19 200
3 3:00 14 200
etc, etc...
Not a problem. Now, I want to dynamically create the threshold value. The only way I know to calculate a sum of a field is the stats command. So what I'm trying is:
sourcetype=pan_threat severity!=informational | stats count as hits by severity | stats sum(hits) as threshold | timechart count, first(threshold) as "Maximum Threshold" by date
...That should theoretically throw back the same kind of thing, where instead of "Maximum Threshold" being 200, "Maximum Threshold" is the sum of the count. It's not, at all. In fact, it's throwing back "No Results Found", even though it shows 4,949 matching events.
Now, when I remove the timechart section, and search
sourcetype=pan_threat severity!=informational | stats count as hits by severity | stats sum(hits) as total_count
It gives me a very simple table with the data I want, something like the following.
Total Count
1 4949
Also the following search throws back two fields, and it's properly setting "ts" to "threshold", as can be seen in the graph I've tried to replicate below it.
sourcetype=pan_threat severity!=informational | stats count as hits by severity | stats sum(hits) as total_count | eval totalcount=total_count
threshold ts
1 4949 4949
I just want to chart the value of ts, just like I did when I had it setting to a raw number above. Anyone have any idea how to do this?
... View more