I want to use two evals with subsearches. In the subsearches I would like to use a timechart to count the number of event per day.
At the end, I want to use a third timechart and display the two generated variables.
My code looks like the following:
index=lync_scs source="WinEventLog:Lync Server" | eval id_one = [ search index=lync_scs source="WinEventLog:Lync Server" EventCode=4410 | timechart span=1d count as id_one] | eval id_two = [ search index=lync_scs source="WinEventLog:Lync Server" EventCode=41113 | timechart span=1d count as id_two] | timechart span=1d values(id*)
Unfortunately, my search doesnt work.
Could you help me please? Thanks a lot!
Hi
I haven't tested this, but could you use something like
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
eval not_available=if(EventCode=700 OR EventCode=702,1,0) |
eval available=if(EventCode!=700 OR EventCode!=702,1,0) |
timechart span=1d sum(available) as available sum(not_available) as not_available
You can also use eval functions within stats/chart/timechart commands, as shown in the Search Manual.
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
timechart span=1d sum(eval(if(EventCode!=700 OR EventCode!=702,1,0))) as available sum(eval(if(EventCode=700 OR EventCode=702,1,0))) as not_available
Dave
Thanks a lot! So I have the following search:
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
eval not_available=if(EventCode=700 OR EventCode=702,1,0) |
eval available=if(EventCode!=700 OR EventCode!=702,1,0) | timechart span=1d sum(available) as available_time, sum(not_available) as not_available_time
I need one field more.
This field is calculated like this:
eval sla = 100 - (not_available_time / available_time)^
Do you know, how can I include this in the timechart?
Just add eval sla = 100 - (not_available_time / available_time)
to the end of your query.
I forgot the return $id_one and return $id_two after the timechart in the evals
Why are you using subsearches? Does the following come close to what you're trying to achieve?
index=lync_scs source="WinEventLog:Lync Server" (EventCode=4410 OR EventCode=41113) | timechart span=1d count by EventCode
Dave
I used the code as an example.
This is my original search:
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application | eval sla=99.9 | eval not_available = [search index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application EventCode=700 OR Eventcode=702 | timechart span=1d count as not_available | return $not_available] | eval available = [search index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application EventCode!=700 OR Eventcode!=702 | timechart span=1d count as available | return $available] | eval sla2 = 100 - (not_available / available) | timechart span=1d values(*available)
Do you know another way?