I get the searching
sourcetype="evento_notable" | dedup KPI | eval kpica=case(ClientesActivos <=15000, 90, ClientesActivos >=15001 AND ClientesActivos <=16999, 100, ClientesActivos >=17000,90), kpicc=case(ConexionesConcurrentes <=300000, 90, ConexionesConcurrentes >=300001 AND ConexionesConcurrentes <=1799999, 100, ConexionesConcurrentes >=180000,90), Vel=E_speed/1048576, kpivl=case(Vel <=5 , 50, Vel >=5.1 AND Vel <=15, 60, Vel >=15.1 AND Vel <=19.99 , 70, Vel >=20, 100), kpidns=case(time_request >=2 , 50, time_request <=1.99 AND time_request >=1.01, 70, time_request <=1 AND time_request >=0.8 , 90, time_request <0.8, 100), kpign= (kpica+kpicc+kpivl+kpidns)/4 | stats avg(kpign) as "Networking health"
the sentense "kpign= (kpica+kpicc+kpivl+kpidns)/4" not get the field "kpign"
Try this:
sourcetype="evento_notable"
| dedup KPI
| eval kpica=case(ClientesActivos <=15000, 90,
ClientesActivos >=15001 AND ClientesActivos <=16999, 100,
ClientesActivos >=17000,90,
true(), 0)
| eval kpicc=case(ConexionesConcurrentes <=300000, 90,
ConexionesConcurrentes >=300001 AND ConexionesConcurrentes <=1799999, 100,
ConexionesConcurrentes >=180000,90,
true(), 0)
| eval Vel=E_speed/1048576
| eval kpivl=case(Vel <=5 , 50,
Vel >=5.1 AND Vel <=15, 60,
Vel >=15.1 AND Vel <=19.99 , 70,
Vel >=20, 100,
true(), 0)
| eval kpidns=case(time_request >=2 , 50,
time_request <=1.99 AND time_request >=1.01, 70,
time_request <=1 AND time_request >=0.8 , 90,
time_request <0.8, 100,
true(), 0)
| eval kpign= (kpica+kpicc+kpivl+kpidns)/4
| stats avg(kpign) as "Networking health"
You need to make certain (with a final defalut
case in your case
statement using true()
) that each of your arguments to the sum ALWAYS has a value. I am quite certain that the value of 0
that I have used is wrong, but it will cause your sum to work reliably.
@woodcock, line 17 is missing comma after 50
| eval kpidns=case(time_request >=2 , 50,
Fair enough; fixed now (re-edit).
thanks, but the problem is that the resulting kpign field does not appear
@medveleyenet, what are you seeing right not. Does your search result say No results found or something else. Above query by @woodcock has default case to set a specific field value to 0 in case none of the conditions are matched. Which implies as far as you get results after | dedup KPI
you should see "Networking health" (worst case is 0). Following is run anywhere search where you can set test conditions using eval. Following will result in 0 since none of the conditions are set.
| makeresults
| eval kpica=case(ClientesActivos <=15000, 90,
ClientesActivos >=15001 AND ClientesActivos <=16999, 100,
ClientesActivos >=17000,90,
true(), 0)
| eval kpicc=case(ConexionesConcurrentes <=300000, 90,
ConexionesConcurrentes >=300001 AND ConexionesConcurrentes <=1799999, 100,
ConexionesConcurrentes >=180000,90,
true(), 0)
| eval Vel=E_speed/1048576
| eval kpivl=case(Vel <=5 , 50,
Vel >=5.1 AND Vel <=15, 60,
Vel >=15.1 AND Vel <=19.99 , 70,
Vel >=20, 100,
true(), 0)
| eval kpidns=case(time_request >=2 , 50,
time_request <=1.99 AND time_request >=1.01, 70,
time_request <=1 AND time_request >=0.8 , 90,
time_request <0.8, 100,
true(), 0)
| eval kpign= (kpica+kpicc+kpivl+kpidns)/4
| stats avg(kpign) as "Networking health"
If your issue is something else, you will have to provide sample for each field. I noticed you are performing a dedup on KPI but the same is not used anywhere.
There are 3 reasons for your sum to fail:
1) One (or more) of the fields has no value. I have solved this for you with my answer.
2) One (or more) of the fields is not a number ( NaN
).
3) One (or more) of the fields is multi-valued
. This is a whole other matter, entirely.
To test, use my existing answer but add this line just above the eval kpign
line:
| mvexpand kpica | mvexpand kpicc| mvexpand kpivl | mvexpand kpidns
and change the eval kpign
line to this:
| eval kpign= (tonumber(kpica)+tonumber(kpicc)+tonumber(kpivl)+tonumber(kpidns))/4
tranks, whit the first answer i can sum the the fields but some result is 0 and modify the final result of the sentence eval kpign=(kpicc + kpica +kpivl + kpidns)/4
Well there you go; set an appropriate default value for the operands ( other than 0
) and then you are done.
@medveleyenet, have you tried splitting evals like the following? What is the error you are getting with current query?
sourcetype="evento_notable"
| dedup KPI
| eval kpica=case(ClientesActivos <=15000, 90, ClientesActivos >=15001 AND ClientesActivos <=16999, 100, ClientesActivos >=17000,90)
| eval kpicc=case(ConexionesConcurrentes <=300000, 90, ConexionesConcurrentes >=300001 AND ConexionesConcurrentes <=1799999, 100, ConexionesConcurrentes >=180000,90)
| eval Vel=E_speed/1048576
| eval kpivl=case(Vel <=5 , 50, Vel >=5.1 AND Vel <=15, 60, Vel >=15.1 AND Vel <=19.99 , 70, Vel >=20, 100)
| eval kpidns=case(time_request >=2 , 50, time_request <=1.99 AND time_request >=1.01, 70, time_request <=1 AND time_request >=0.8 , 90, time_request <0.8, 100)
| eval kpign= (kpica+kpicc+kpivl+kpidns)/4
| stats avg(kpign) as "Networking health"
Following @niketnillay, are all of your evaluated fields coming through except login with your current query? Are any missing? If you're in verbose mode, you can check for these fields on the left hand side of the events, otherwise you can add a |fields kpign kpica kpicc kpivl kpidns Vel
i need sum the fields kpicc, kpivl, kpidns and kipca but field "kpign" don,t appears