Hi all,
Below is my search...
source="computer_status_export_SEP12_Mar27.csv" | dedup "Computer Name","MAC Address1" | timechart count("Last time status changed") as count span=1d | sort - _time
_time↕ count↕
2014-03-27 24
2014-03-26 21790
2014-03-25 32439
2014-03-24 4017
2014-03-23 1336
2014-03-22 334
2014-03-21 441
2014-03-20 1540
2014-03-19 1134
2014-03-18 1874
2014-03-17 1363
2014-03-16 760
2014-03-15 261
2014-03-14 253
2014-03-13 698
2014-03-12 684
2014-03-11 541
2014-03-10 473
2014-03-09 425
Now what I want to do is I want add the count after 10 values it means from 2014-03-17 to ending so please help me.........
if the above two suggestions are not okay for you, they use a where clause to have the dates greater than 17th!! why bother about all the top 11 records or 11th record!
Try this
source="computer_status_export_SEP12_Mar27.csv" | dedup "Computer Name","MAC Address1" | timechart count("Last time status changed") as count span=1d | sort - _time | streamstats count as sno | eval sno=if(sno>10,11,sno) | stats first(_time) as _time sum(count) as count by sno | fields - sno
Just to be sure, The output should be like this
Date##Signature<=4##Signature>=5and<=10##Signature>=11
04-30##Count(04-30 to 04-27)##Count(04-26 to 04-22)##Count(before 04-22)
This should be done for just today or for every day, get data for past 5, 6-10 and before 10 days? Signature is a field in your logs?
The output which i Mentioned in the above is for only one day(2014-03-27).
Now my question is i want to make the trend for before 10 days including today also..it means today(30/04/2014) to 21/04/2014---(from today to past 10 days)..
Expected Output:
Date Signature<=4 "Signature>=5and<=10" "Signature>=11"
2014-04-30 100 200 500
29
28
27
26
25
24
23
22
21
so i can make the trend....for the computer status report(this is the file where we store the status of computer details of entire domain)..
please help me................
as i mentioned in the above...
_time↕ count↕
2014-03-27 24
2014-03-26 21790
2014-03-25 32439
2014-03-24 4017
2014-03-23 1336
2014-03-22 334
2014-03-21 441
2014-03-20 1540
2014-03-19 1134
2014-03-18 1874
2014-03-11 541
i want to genarate report for first 4 days one group1,after 6 days group2,rest of as group3..
Expected Output:
Signature <=4 count1(first 4days count)
Signature >=5 and <=10 count2(next 6 days count)
Signature >=11 count3(rest of days count)
You want commulative sum after 10th value? If possible provide the expected output from the sample data you've shared.
You cant have syntax you mentioned in previous comment, but if you can tell your requirement with expected output, there may be some workarounds to get that.
and one more thing can write the code like below..
if(sno>=4,stats sum(count),if(sno>=5 and sno<=10),stats sum(count),if(sno>=11),stats sum(count))....
i think this should be understood by you please help me............
that is search for first 10 values right......?
i want to combine after 10 to last value....i dont want first 10 ok
You could set your timerange accordingly to only search from March 17th and on.
Alternatively, you can add this to the end of your search:
... | head 11 | stats sum(count)
That will take the first eleven rows, March 27th to March 17th, and sum up their counts.