Solved: timechart no results found

graziaedu · ‎08-16-2021

I have the follow query

index=index |spath output=traceSteps path=traceSteps{}
|table traceSteps
|mvexpand traceSteps
|rex field=traceSteps "(message\"\:\"(?<mensagem>(?<=\")(.*?)(?=\")))"
|where mensagem LIKE "CPF%"
|stats count

when i change "|stats count" by "|timechart span=1d count" to show by date i have "no results found"

Why? What do i make wrong?

richgalloway · ‎08-16-2021

The timechart command requires the _time field, but it was stripped out of the results by the table command. Either remove the table command or add the _time field to it.

index=index |spath output=traceSteps path=traceSteps{}
|table _time traceSteps
|mvexpand traceSteps
|rex field=traceSteps "(message\"\:\"(?<mensagem>(?<=\")(.*?)(?=\")))"
|where mensagem LIKE "CPF%"
|timechart span=1d count

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway · ‎08-16-2021

The timechart command requires the _time field, but it was stripped out of the results by the table command. Either remove the table command or add the _time field to it.

index=index |spath output=traceSteps path=traceSteps{}
|table _time traceSteps
|mvexpand traceSteps
|rex field=traceSteps "(message\"\:\"(?<mensagem>(?<=\")(.*?)(?=\")))"
|where mensagem LIKE "CPF%"
|timechart span=1d count

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

graziaedu · ‎08-17-2021

@richgalloway thanks. it was work.

timechart no results found

timechart

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>