I'm able to get the data I'm looking for on the stats tab, but because there are multiple values for one of the columns the visualizer can't draw a pretty line.
At a high level I'm trying to link up server level metrics with process level metrics on the same report.
ApplicationName="myApp"
host="myServer"
(
(eventtype="perfmon_windows" object="Network Interface" counter="Bytes Total/sec")
OR
(eventtype="perfmon_windows" object="Process" counter="Private Bytes" instance="w3wp*")
OR
(sourcetype=iis OR sourcetype=null())
)
| eval multipleValues = if(counter=="Private Bytes", Value, null())
| eval networkUtilizationValue = if(counter=="Bytes Total/sec", Value/1024, null())
| bucket _time span=1m
| chart count(eval(like(sourcetype, "iis"))) as transCount
, values(multipleValues) as theFieldWithAnIssue
, values(networkUtilizationValue) as networkUtilization
by _time
I'm getting data, but there are multiple values for the second field. The field is groupable by "instance" but I don't know where to add this group by. I can average the fields but I really want them grouped by the "instance".
Sample data:
Time..............................transCount.......theFieldWithAnIssue........networkUtilization
2017-05-11 20:55:00....123...................123..................................123
..............................................................456
..............................................................789
Thanks.
You can use mvexpand
or just break it out along the way like this:
... | stats count(eval(like(sourcetype, "iis"))) as transCount by _time multipleValues networkUtilizationValue
I don't want the transcount by the other fields, I want it to be the total transcount for the whole server and only break the "multipleValues" field out by instance.
What do you mean "for the whole server"; you do not have a field called server
or anything remotely like it (e.g. host
).
can you add an |mvexpand theFieldWithAnIssue
at the end?
or is it that you're looking to add another by
command?
...| stats count(eval(like(sourcetype, "iis"))) as transCount
, values(multipleValues) as theFieldWithAnIssue
, values(networkUtilizationValue) as networkUtilization
by _time instance
Hmmm, I think this is getting closer.
Tried the mvexpand and it fixed the issue of the visualization, but it still has the values across all the "instance" groups in one field. Ideally it would be grouped by the instance.
Tried adding the instance to the "by" and it is grouping all the fields by instance now, but I really only want the single field grouped by the instance.
In a perfect world it would be something like:
| chart count(eval(like(sourcetype, "iis"))) as transCount
, values(value1) as valueToCheck by instance
, values(networkUtilizationValue) as networkUtilization
by _time
I did figure out that I can fix the issue by adding eval statements for each instance...but that is tedious and boring. Thanks.
could you try to do something like:
|eval instanceValue=instance+" - "+value1
|chart count(eval(like(sourcetype, "iis"))) as transCount values(instanceValue) as valueToCheck values(networkUtilizationValue) as networkUtilization by _time