How to use a field name from one search to perform...

belladonna · ‎06-14-2016

Hello.

I want to make a dashboard with statistics about errors that happen in our application. I've made column chart with errorOperationsCount/operationsCount.
Then I've added 1 panel on my dashboard and I want to fill it with timechart of results of top-1 operation from first search. I want to make it through hidden search (so that I just complement the first search), but I don't know how to do it. Can you help me, please?

My current implementation:

1) chart with errorOperationsCount/operationsCount

index=prt 
 | chart dc(trackingId) over operation by result 
 | addtotals 
 | eval ratio = 1 - coalesce(OK,0)/Total 
 | fields operation, ratio 
 | sort limit=25 -ratio

2) first panel (I couldn't come up with how to do it through using result of first search)

index=prt result=* 
[search index=prt result=* 
| chart dc(trackingId) over operation by result 
| addtotals 
| eval ratio = 1 - coalesce(OK,0)/Total 
| sort limit=1 -ratio |fields operation]
|timechart span=1h count by result

sundareshr · ‎06-15-2016

Try this (beware of Post process limitations)

*For you base search*

<search id="base"><query>index=prt | eventstats c(trackingid) as total c(eval(result="OK")) as ok by operation | eval ratio=ok/total</query></search>

For your first chart*

<search base="base">
<query>stats max(ratio) as ratio by operation | sort 25 -ratio</</query></search>

*For your panel*

<search base="base"><search>eventstats min(ratio) as min_ratio | where ratio=min_ratio | timechart span=1h c by result</query></search>

belladonna · ‎06-16-2016

Thank you, sundareshr!
But I have result table like this

operation result
check 0.3
search 0.3
process 0.3

Which one of rows the "eventstats min(ratio) as min_ratio | where ratio=min_ratio" will resturn? I didn't write in my question, but I want to have 4 panels of top-4 error operations, not just 1. So I want to have some way to get the row number x and then make timechart for the operation number x. Thank you in advance for your attention to this matter.

sundareshr · ‎06-16-2016

eventstats works on all row. In this case, it is get the min(ratio) from all the rows a set that value to field min_ratio for all rows. For the 4 panels, you can use a combination of head & tail commands to get the specific row you need. So for the first panel, you will add head for the second row add head 2 | tail 1 for the third head 3 | tail 1 and for the fourth tail 1

belladonna · ‎06-17-2016

But

index=prt result=*
 | eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation 
 | eval ratio=1-okOp/totalOp|stats max(ratio) as ratio by operation | sort 3 -ratio|head|timechart count(operation) by result

doesn't return anything

sundareshr · ‎06-18-2016

That's because you have a stats command that does not include the _time field. Change the stats command to eventstats. So you search will look like this

index=prt result=*
| eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation 
| eval ratio=1-okOp/totalOp
| eventstats max(ratio) as ratio by operation 
| timechart count(operation)max(ratio)  by result 
| sort 3 -ratio 
| head 1

DavidHourani · ‎06-15-2016

use a subsearch ?

belladonna · ‎06-15-2016

I use subsearch. But how can I use it so that I will use the result of first search?

How to use a field name from one search to perform another?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases