I want a view similar to this: 
with a different colour/line for each error type
I tried 2 approaches and failed
1st Approach - transformers
I first query all by requests and present the verb
{job="myJob", filename="/server.log"} |= `exception_type` | json | line_format `{{.exception_type}}`Then I use a
Format Timetransformer, where I set the formatting toYYYYMMDD-HHThen I use the
Group Bytransformer, where I group by my now grouped by hour Time as well aslinewhich contains theexception_type- I also add a
calculateon the "Id" column and selectcount - lastly I add a
calculateon the "Time" to get the first value
- I also add a
At this point I have a few of the columns I need, but no way for the Timeseries ingest this format.
2nd Approach - multiple count_over_time stacks
I could technically stack a bunch of these (one for each error type), but that seems less than ideal; both because I don't have a comprehensive list of error types, and because the maintenance surface area is larger than I'd like
sum(count_over_time({job="myjob", filename="server.log"} | json | exception_type =~ "Could not create folder" [$__interval]))
The image I provided works because it's hitting an SQL DB (Postgres) which has a group by and a query that looks like this:
