Hello.
I want to make a dashboard with statistics about errors that happen in our application. I've made column chart with errorOperationsCount/operationsCount.
Then I've added 1 panel on my dashboard and I want to fill it with timechart of results of top-1 operation from first search. I want to make it through hidden search (so that I just complement the first search), but I don't know how to do it. Can you help me, please?
My current implementation:
1) chart with errorOperationsCount/operationsCount
index=prt
| chart dc(trackingId) over operation by result
| addtotals
| eval ratio = 1 - coalesce(OK,0)/Total
| fields operation, ratio
| sort limit=25 -ratio
2) first panel (I couldn't come up with how to do it through using result of first search)
index=prt result=*
[search index=prt result=*
| chart dc(trackingId) over operation by result
| addtotals
| eval ratio = 1 - coalesce(OK,0)/Total
| sort limit=1 -ratio |fields operation]
|timechart span=1h count by result
Try this (beware of Post process limitations)
*For you base search*
<search id="base"><query>index=prt | eventstats c(trackingid) as total c(eval(result="OK")) as ok by operation | eval ratio=ok/total</query></search>
For your first chart*
<search base="base">
<query>stats max(ratio) as ratio by operation | sort 25 -ratio</</query></search>
*For your panel*
<search base="base"><search>eventstats min(ratio) as min_ratio | where ratio=min_ratio | timechart span=1h c by result</query></search>
Thank you, sundareshr!
But I have result table like this
operation result
check 0.3
search 0.3
process 0.3
Which one of rows the "eventstats min(ratio) as min_ratio | where ratio=min_ratio" will resturn? I didn't write in my question, but I want to have 4 panels of top-4 error operations, not just 1. So I want to have some way to get the row number x and then make timechart for the operation number x. Thank you in advance for your attention to this matter.
eventstats works on all row. In this case, it is get the min(ratio) from all the rows a set that value to field min_ratio for all rows. For the 4 panels, you can use a combination of head & tail commands to get the specific row you need. So for the first panel, you will add head
for the second row add head 2 | tail 1
for the third head 3 | tail 1
and for the fourth tail 1
But
index=prt result=*
| eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation
| eval ratio=1-okOp/totalOp|stats max(ratio) as ratio by operation | sort 3 -ratio|head|timechart count(operation) by result
doesn't return anything
That's because you have a stats
command that does not include the _time
field. Change the stats
command to eventstats
. So you search will look like this
index=prt result=*
| eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation
| eval ratio=1-okOp/totalOp
| eventstats max(ratio) as ratio by operation
| timechart count(operation)max(ratio) by result
| sort 3 -ratio
| head 1
use a subsearch ?
I use subsearch. But how can I use it so that I will use the result of first search?