I have a data model containing a dataset from which I would like to extract and plot data over two specific time ranges. For that, I'm using tsats to fetch data from the Blocked_Traffic datamodel (because there's a huge amount of data) in the first query, which I'm then piping into another query for the second timerange. In order for that to work, I have to set prestats to true. The documentation indicates that it's supposed to work with the timechart function, but no matter my final query, I can't get a graph line chart (or any type of chart) to display. Here's my pseudo-query:
| tstats prestats=true count FROM datamodel=Network_Traffic.All_Traffic, WHERE nodename=All_Traffic.Traffic_By_Action Blocked_Traffic, NOT All_Traffic.src_ip IN (0.0.0.0), All_Traffic.dest_ip!="10.*",All_Traffic.bytes_out > 1000 earliest=-3h@h latest=-10min@min by All_Traffic.bytes_out| tstats prestats=true append=true count FROM datamodel=Network_Traffic.All_Traffic, WHERE nodename=All_Traffic.Traffic_By_Action Blocked_Traffic, NOT All_Traffic.src_ip IN (0.0.0.0), All_Traffic.dest_ip!="10.*",All_Traffic.bytes_out > 1000 earliest=-27h@h latest=-24h@h by All_Traffic.bytes_out| timechart sum(All_Traffic.bytes_out)I feel like the prestats parameter is making me lose the timestamps, which prevents the timechart function from working, but I'm not really sure. Any help would be appreciated.
Best Answer
You're actually losing _time with your tstats commands...
You need to include _time in the by clause of your tstats commands, then you'll have it for use with timechart.