Need a way to select only specific events from the list of events, so here the example I have a query on iis logs which gives me around say 60000 events so I want to select every 12th event from the the searched 60 events to do stats on those filtered events.
Try like this
your base search | eval sno=1 | accum sno | where floor(sno/12)=(sno/12) | rest of your search
thanks for the resposne , have one more question , how to could store a event count of search so that i can do some arithmetic on it.
Not sure I get it. Do you want to count of total search results in a field so that you can do some calculation (like percentage calculation) on it?
If above is true, you can use eventstats command to add aggregation in a new field, without changing/aggregating the search results.
e.g. This will give you field totalEvents with total events before the filter.
your base search | eval sno=1 | accum sno | eventstats count as totalEvents | where floor(sno/12)=(sno/12) | rest of your search
That's similar to what I am looking for, but am facing issue here. In the above thing, I want to decide number 12 by doing math with total events:
your base search | eval sno=1 | accum sno | eventstats count as totalEvents |eval div=totalEvents /5000 |where floor(sno/div)=(sno/div) | rest of your search
but it's not giving me correct results!
Could you explain what exactly is your requirement? You want to take every 12th event for your stats and use the total events (before 12th event filter) and using it for what?
Need to get a sample size of 5000 events to calculate mean and Standerddeviation for each day fro last 60 days, so in order to get get a random sample of 5000 events and calculating total events and then div is the floor (totalevents/5000) Then as I get this, I am picking each event based on div (like 12 before).
I am able to get it like this:
your base search | eval sno=1 | accum sno | eventstats count as totalEvents |eval div=floor(totalEvents /5000) |where floor(sno/div)=(sno/div) | head 5000| timechart span=1d avg(filedx) stddev(filedx)..
Is there anything wrong with this search?
Try this
your base search | streamstats window=12 current=t count | where count=12 | stats ...
This will just exclude first 11 events