Hello,
I want to graph some data that I am consuming from some logs using filebeat/logstash/elasticsearch.
The logs have are formatted something like this:
eventID | statusCode | timestamp
The eventIDs are not unique, meaning multiple log lines can have the same eventID if they are a part of the same event.
What I want is to make is a graph that shows the count of the events with x statusCode at a given time.
I tried solving this with the group by transform, but the I encountered some problems when using that. Mainly, the graph does not extend back more than ~5 minutes, and that the different status codes are not plotted differently in the graph (see picture)
Here is a screenshot of the graph I want to create, made in Splunk:
