Use subsearch for timechart

tgdvopab · ‎08-17-2016

I want to use two evals with subsearches. In the subsearches I would like to use a timechart to count the number of event per day.
At the end, I want to use a third timechart and display the two generated variables.
My code looks like the following:

index=lync_scs source="WinEventLog:Lync Server" | eval id_one = [ search index=lync_scs source="WinEventLog:Lync Server" EventCode=4410 | timechart span=1d count as id_one] | eval id_two = [ search index=lync_scs source="WinEventLog:Lync Server" EventCode=41113 | timechart span=1d count as id_two] | timechart span=1d values(id*)

Unfortunately, my search doesnt work.
Could you help me please? Thanks a lot!

davebrooking · ‎08-17-2016

Hi

I haven't tested this, but could you use something like

index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application  | 
eval not_available=if(EventCode=700 OR EventCode=702,1,0) |
eval available=if(EventCode!=700 OR EventCode!=702,1,0) |
timechart span=1d sum(available) as available sum(not_available) as not_available

You can also use eval functions within stats/chart/timechart commands, as shown in the Search Manual.

    index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application  | 
    timechart span=1d sum(eval(if(EventCode!=700 OR EventCode!=702,1,0))) as available sum(eval(if(EventCode=700 OR EventCode=702,1,0))) as not_available

Dave

tgdvopab · ‎08-17-2016

Thanks a lot! So I have the following search:

index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
 eval not_available=if(EventCode=700 OR EventCode=702,1,0) |
 eval available=if(EventCode!=700 OR EventCode!=702,1,0) | timechart span=1d sum(available) as available_time, sum(not_available) as not_available_time

I need one field more.
This field is calculated like this:

eval sla = 100 - (not_available_time / available_time)^

Do you know, how can I include this in the timechart?

sundareshr · ‎08-17-2016

Just add eval sla = 100 - (not_available_time / available_time) to the end of your query.

tgdvopab · ‎08-17-2016

I forgot the return $id_one and return $id_two after the timechart in the evals

davebrooking · ‎08-17-2016

Why are you using subsearches? Does the following come close to what you're trying to achieve?

index=lync_scs source="WinEventLog:Lync Server" (EventCode=4410 OR EventCode=41113) | timechart span=1d count by EventCode

Dave

tgdvopab · ‎08-17-2016

I used the code as an example.
This is my original search:

index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application  | eval sla=99.9 | eval not_available = [search index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application  EventCode=700 OR Eventcode=702 | timechart span=1d count as not_available | return $not_available] | eval available = [search index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application  EventCode!=700 OR Eventcode!=702 | timechart span=1d count as available | return $available] | eval sla2 = 100 - (not_available / available) | timechart span=1d values(*available)

Do you know another way?

Use subsearch for timechart

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes