I have a chart and would like to get a total of all the peaks values on the chart. This chart calculates idle time and goes up and then drops to 0 once the machine is no longer idle. I would like to get all the peaks and add them together. Is there a way to do this in a search? Below is what my search looks like now.
sourcetype="search" host=host1* | timechart avg(idle) as "Idle Time"
Give this a try
sourcetype="search" host=host1* | timechart avg(idle) as "Idle Time" | eval sno=if('Idle Time'=0,1,0) | accum sno
| eventstats max("Idle Time") as max by sno | where 'Idle Time'=max | table _time "Idle Time"
Give this a try
sourcetype="search" host=host1* | timechart avg(idle) as "Idle Time" | eval sno=if('Idle Time'=0,1,0) | accum sno
| eventstats max("Idle Time") as max by sno | where 'Idle Time'=max | table _time "Idle Time"
That did it! Thanks so much, I never would have figured that out.
Try this
sourcetype="search" host=host1* | timechart avg(idle) as "Idle Time" | where "Idle Time">0 | stats sum("Idle Time") as Peaks
That seems to be adding all the times, not just the peaks. So if my values were:
1,2,3,4,0,0,1,2,3,0
I would see 16 with your search. I would like to see 7. That would get the sum of 4 and 3.
Try this then. You can adjust the last segment to what you would consider acceptable peak.
sourcetype="search" host=host1* | timechart avg(idle) as "Idle Time" | evenstats min("Idle Time") as low | where (low/"Idle Time")>.5 | stats sum("Idle Time") as IdleTime
It's still not finding the peaks and adding them. Looks like it's still just adding all the numbers.
sourcetype="search" host=host1* || table idle |eventstats max(idle) as low | where (low/'idle') > 1 | stats sum(idle) as idle
Here are the values I get when I search sourcetype="search1" host=host1 | table idle
0
0
0
0
0
0
4
3
2
1
0
8
7
6
5
4
3
2
1
0
So with this search I would like to see the number 12 that adds the 2 peaks found of 8 and 4. I can't figure out to just display those peaks.