I have the below events and I want to merge the search results:
20171222.103330 Fr I - 0 Fn=makeRequest Endpoint=https://mydomain.api..net/v1/person/personid tid=e95126db-6184-4405-8c74-2ed978beb320 HttpStatusCode=200 ElapsedTime=55
I want to get the following result -
ErrorRate | tp90
I have the below two separate queries. How can I merge both queries -
index=abc "Fn=makeRequest" HttpStatusCode > 201 AND HttpStatusCode !=404 |timechart bins=1000 count as ErrorRate
index=abc "Fn=makeRequest" |timechart bins=1000 cont=FALSE perc90(ElapsedTime) as perc90
You can use eval
in statistics commands to help you qualify fields e.g.:
index=abc "Fn=makeRequest"
| timechart bins=1000 count(eval(HttpStatusCode > 201 AND HttpStatusCode !=404)) as ErrorRate perc90(ElapsedTime) as perc90