Hi,
I would like ti calculate number of events between time in my search.
There are 2 status, exceed & within in my query.
I want to calculate the number of "exceed" events between 11:45 to 1:45 daily.
My query has to run between 22:30 to next day 22:30 to count the total events.
Not 100% sure that I understand your reporting needs;
- the total number of events per 24 hours, counting from 22:30 each day.
- Also, you want a the number of events between 11:45 - 13:45 (assumption) where status=exceed
If you want the 'exceed' events between 11:45 and 01:45 you should change the schedule so that the search runs outside that timeframe, e.g. at 02:00.
So to the answer;
sourcetype = XXX earliest=-1d@d+22h+30m latest=@d+22h+30m
| stats c as Total
| appendcols
[search sourcetype=XXX earliest=-1d@d+11h+45m latest=@d+13h+45m status=exceeded
| stats c as "Number of exceeded during my loong lunch"]
Added some indentation so that it's easier to see what happens in the appended search. Set the search to run at 23.00 every day.
As you might guess, the searches operate independently of each other, and the result will look something like;
Total Number exceeded during my looong lunch
----- --------------------------------------
124621 9473
Hope this helps,
Kristian
Not 100% sure that I understand your reporting needs;
- the total number of events per 24 hours, counting from 22:30 each day.
- Also, you want a the number of events between 11:45 - 13:45 (assumption) where status=exceed
If you want the 'exceed' events between 11:45 and 01:45 you should change the schedule so that the search runs outside that timeframe, e.g. at 02:00.
So to the answer;
sourcetype = XXX earliest=-1d@d+22h+30m latest=@d+22h+30m
| stats c as Total
| appendcols
[search sourcetype=XXX earliest=-1d@d+11h+45m latest=@d+13h+45m status=exceeded
| stats c as "Number of exceeded during my loong lunch"]
Added some indentation so that it's easier to see what happens in the appended search. Set the search to run at 23.00 every day.
As you might guess, the searches operate independently of each other, and the result will look something like;
Total Number exceeded during my looong lunch
----- --------------------------------------
124621 9473
Hope this helps,
Kristian
Hi Kristian, Thank you for the answer, 🙂 It worked, and also I wrote query in different way, and this also worked. 🙂 .. | count(eval(Report="exceed" and (StartTime>"00:00:00.000" and StartTime<"01:45:00.000") OR StartTime>"23:45:00.000")) as "exceeded count".
StartTime field already exist in the logs 😜