Solved: timechart no results found

graziaedu · ‎08-16-2021

I have the follow query

index=index |spath output=traceSteps path=traceSteps{}
|table traceSteps
|mvexpand traceSteps
|rex field=traceSteps "(message\"\:\"(?<mensagem>(?<=\")(.*?)(?=\")))"
|where mensagem LIKE "CPF%"
|stats count

when i change "|stats count" by "|timechart span=1d count" to show by date i have "no results found"

Why? What do i make wrong?

richgalloway · ‎08-16-2021

The timechart command requires the _time field, but it was stripped out of the results by the table command. Either remove the table command or add the _time field to it.

index=index |spath output=traceSteps path=traceSteps{}
|table _time traceSteps
|mvexpand traceSteps
|rex field=traceSteps "(message\"\:\"(?<mensagem>(?<=\")(.*?)(?=\")))"
|where mensagem LIKE "CPF%"
|timechart span=1d count

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-16-2021

The timechart command requires the _time field, but it was stripped out of the results by the table command. Either remove the table command or add the _time field to it.

index=index |spath output=traceSteps path=traceSteps{}
|table _time traceSteps
|mvexpand traceSteps
|rex field=traceSteps "(message\"\:\"(?<mensagem>(?<=\")(.*?)(?=\")))"
|where mensagem LIKE "CPF%"
|timechart span=1d count

---
If this reply helps you, Karma would be appreciated.

graziaedu · ‎08-17-2021

@richgalloway thanks. it was work.

timechart no results found

timechart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!