I Cant get this search to work as i wish.
This is my search (timespan = -2h@h):
sourcetype=stats device_id=1352199920_8710631364 | bucket _time span=1h | table _time LogKb1521 LogKb57740 LogDelegateErr CountNoL7OptNFS CountPassIntSSL CountNoL7OptNotes LogKb1872 CountNoL7OptMSSQL CountPassCitrix LogKb1510
What i want is a search result telling me the summed events (yes, the fields are numerical) of each field with 2 samples. One for the events from -2h@h to -1h@h and another from -1h@h to @h
What i do get is 31 results.
Same result when using 'bins=2'
When using 'minspan=1h', i get this error: "minspan option has no effect when span is specified"
I don't think that the bucket command is misbehaving - you probably have 31 events in total for that device_id for those 2 hours.
table just lists the fields in each event. So 31 events will give a table with 31 rows.
What I think you want is a timechart with a sum() for each field. Please note that the time constraints are added to the search below;
sourcetype=stats device_id=1352199920_8710631364 earliest=-2h@h latest=@h | timechart span=1h sum(LogKb1521) sum(LogKb57740) sum(LogDelegateErr) sum(CountNoL7OptNFS) sum(CountPassIntSSL) sum(CountNoL7OptNotes) sum(LogKb1872) sum(CountNoL7OptMSSQL) sum(CountPassCitrix) sum(LogKb1510)
Hope this helps,
View solution in original post
Yes you are right.