I'm looking for unique local/foreign pairs in netstat output to track the number of tcp connections in TIME_WAIT on a server. Here's my query:
index=esos host=web5 sourcetype=netstat earliest=-4d latest=now
| multikv
| eval pair = LocalAddress + "-" + ForeignAddress
| search State=TIME_WAIT LocalAddress!="::ffff:*" | dedup pair | timechart span=5m dc(pair)
When I click search and watch the chart draw, in the beginning it shows the latest data. I'm investigating a recent phenomenon and want to visually compare it to the past several days. While the graph accumulates more data, the time period of the chart eventually changes, lopping off much of the recent data. What causes this, and how can I still get a timechart of this data with relatively high resolution?
