Hey, was here yesterday, made minor improvements...
I have a set of data where each message sent corresponds to an input event from an app. Every message contains a user_id. Some of these messages also contain the field log_info, which indicates that whatever happened in the input was an error. I want to find out how many users in the past hour (or whatever timeline) encountered an error, and display this as a percent versus all active users over the hour, and finally display this on a timechart. So far I have:
source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id) as errs | rename errs as query]/users
Which does everything I want it to, except displaying as a chart. When I replace stats with timechart Splunk doesn't seem to like it. I'm very new to Splunk, but as far as I know stats and timechart do the same thing, except with different formatting. I've tried about a million different things at this point but can't think of where else to go.
Thanks for any help.