I've been trying to chart some data and every way I try, it just doesn't work.
I'm able to create a table of my data fine. I use the search:
sourcetype="ec2_web" "[EVENTS]" | rex field=_raw "\d:\s+(?<event>[\w+\s]+?)\s+(?<Status>\d)\s+(?<Avg>\d+.\d+)" max_match=100 | rex field=source "/(?<script>[^/]+)$" | search script="ec2_ireland_script4.txt" | table _time,script,event,Avg
A sample of how the data looks is attached.
If I try to put this in a timechart, I get a blank chart when using values.
sourcetype="ec2_web" "[EVENTS]" | rex field=_raw "\d:\s+(?<event>[\w+\s]+?)\s+(?<Status>\d)\s+(?<Avg>\d+.\d+)" max_match=100 | rex field=source "/(?<script>[^/]+)$" | search script="ec2_ireland_script4.txt" | timechart values(Avg) by event | fields - NULL OTHER
Do I have to convert these values to chart them correctly? Why would values not work in this situation?