I'm Having issues with my case statement.
index=sti_123 source=rss_servers active = "1" status = "Being Commissioned"
| eval Timenow=now()
| eval days_since_provisioned = Timenow - date_provisioned
| eval bucket = case(days_since_provisioned <=179, "Less Than 180", days_since_provisioned <= 210, "180-210", days_sinced_provisioned >= 210, "Greater Than 210")
| chart count by bucket
I believe it is the bucket case statement that is the issue, because I remove the "By bucket" and it gives me the correct total, but I just need to be able to say X server has been in this stage for A B or C length
... View more