we have three column for the below query _time, response_time and count,
index="idxweblog" source="/opt/apache2/logs/idxapi.nbcuni.com-access_log" | stats count by _time, response_time
now we want to count the results like this,
_time, (Sametime shouldnt repeat)
Max(response_time)
count - (should include all the events count)
Can you please help me to get this query.
Thanks musskopf, I have tried the below and its working fine for me,
index="idxweblog" source="/opt/apache2/logs/idxapi.nbcuni.com-access_log" BRAND_ID="4b784d93d98941e087bbe75b1c2b9fbe" |stats count as cevent by _time, response_time | stats max(response_time) as mresponse, sum(cevent) as sevent by _time | sort by _time desc
Thanks musskopf, I have tried the below and its working fine for me,
index="idxweblog" source="/opt/apache2/logs/idxapi.nbcuni.com-access_log" BRAND_ID="4b784d93d98941e087bbe75b1c2b9fbe" |stats count as cevent by _time, response_time | stats max(response_time) as mresponse, sum(cevent) as sevent by _time | sort by _time desc
Hello dhavamanis,
Is that what you're looking for?
index="idxweblog" source="/opt/apache2/logs/idxapi.nbcuni.com-access_log" | eventstats count AS total_events | stats count, values(total_events), max(response_time) by _time
Just for you reference, the command eventstats
is similar to stats, but instead of create a table, it'll add the result to each event as an additional field and you can use it on the next pipe.
Also, you might want to add something like | bucket span=10m _time
after your search to group things together
If that's not what you're after, pls post an table showing how the result should looks like.