Hi All,
I have a need to display a timechart which contains negative HTTP status codes (400's and 500's) today, yesterday, and same time last week. I've used append, appendcol, stats, eval, addinfo, etc. and I can't seem to get the best fit. Some timeout on subsearches, some don't make the _time readable and I've tried just about every example possible.
I've tried to break the 3 searches into individual saved searches and build acceleration for each. Any help would be greatly appreciated. Here is the best performing one; that is only for today vs. yesterday which I cannot get the time series display to render nicely, but it performs the best (returning under 5 seconds).
index=access_json status>=400 earliest=-2h@h latest=@h
| timechart span=1m count as metric | addinfo
| eval marker = if(_time < info_min_time + 3600, "Last hour", "This hour")
| eval _time = if(_time < info_min_time + 3600, _time + 3600, _time)
| chart median(metric) by _time marker
Thanks!
... View more