I have anti-virus data and I want to plot the the types of alerts on a chart over time. I want to plot the data such that I can graphically see all virus related alerts compared to all AV alerts (to include the virus count).
Using my current query, I am getting two lines on my chart, Virus and NULL.
Does the 1=1 condition count all cases as true? Or only all that didn't meet the previous cases? I need a count of all alerts to include the Virus.
current query
index=av alert=*
| eval alert_type = case(alert="virus-adware","Virus", alert="pup-virus","Virus", alert="banking-malware","Virus", 1=1,All)
| timechart count by alert_type span=1d
final working query
index=av alert=*
| eval Virus= if(alert="virus-adware" OR alert="pup-virus" OR alert="banking-malware", 1,0)
| timechart span=1d sum(Virus) as Virus count as All
You need to include default case value All
in double quotes. Without it, it's trying to assign value of field All
which probably doesn't exist in your data (hence NULL).
index=av alert=*
| eval alert_type = case(alert="virus-adware","Virus", alert="pup-virus","Virus", alert="banking-malware","Virus", 1=1,"All")
| timechart count by alert_type span=1d
You need to include default case value All
in double quotes. Without it, it's trying to assign value of field All
which probably doesn't exist in your data (hence NULL).
index=av alert=*
| eval alert_type = case(alert="virus-adware","Virus", alert="pup-virus","Virus", alert="banking-malware","Virus", 1=1,"All")
| timechart count by alert_type span=1d
Doh! I totally missed the quotes. That fixed it. Do you know if the 1=1 case is an aggregate of all or only all which do not meet previous case=
statements? Reason is that I want to plot virus vs all (to include the virus count). e.g.: if it were 20 out of 100 total alerts rather than 20 and 80 other alerts.
It'll be for all non-matching events. If you want cumulative, try this variation.
index=av alert=*
| eval Virus= if(alert="virus-adware" OR alert="pup-virus" OR alert="banking-malware", 1,0)
| timechart span=1d sum(Virus) as Virus count as All
This works, thank you!
I use true()
instead of 1==1
because it is more clear.