I want to have an alert being raised when any of our top sourcetypes hourly indexing rises above a given monthly average ratio,
thus I'll be using a main and a sub search,
problem is, the searches are not working as expected,
I do get some gaps in the data like
2015-05-22 17.131487 35.147383 81.106295 40.277513 16.139312 13.474499 0.416715 67.234671
2015-05-23
2015-05-24
2015-05-25 5.011769 13.724414 14.070526 0.100698 5.972581 8.733943 0.059590 17.965508
thus the isnull clause but the totalGb field or sum(Gb) doesn't seem to be available downstream,
why and how can I make this work?
index=summary report=summarised_st earliest=-30d@d latest=@d
| where date_wday="monday" OR date_wday="tuesday" OR date_wday="wednesday" OR date_wday="thursday" OR date_wday="friday"
| eval MonSourceType = sourcetype."MonthlyAvg"
| timechart limit=8 useother=f span=1d sum(GB) as totalGb by MonSourceType
| where NOT isnull(totalGb)
| stats avg(totalGb) by MonSourceType
First of all, you have a typo where MonSourceType
will not match monSourceType
. Also, you are creating totalGb
but using sum(GB)
which no longer exists. In any case, this is better:
index=summary report=summarised_st earliest=-30d@d latest=@d | where date_wday="monday" OR date_wday="tuesday" OR date_wday="wednesday" OR date_wday="thursday" OR date_wday="friday" | eval MonSourceType = sourcetype."MonthlyAvg" | bucket _time span=1d | stats sum(GB) as DailyGbBySourcetype by MonSourceType | stats avg(DailyGbBySourcetype) AS AvgDailyGbBySourcetype by MonSourceType
Yeah, those typos just came to be when I was masking the search to paste it publicly,
my initial search didn't suffer from those. Thanks
So did this work?