Looking for a bit of advice on how to pull this one off.
What i'm trying to do is take some data, that also has a flag evaled into every event and work out the median only where that condition is true.
Short of a sub query, which I'm avoiding venturing into I'm pretty stuck on ideas.
Example data:
_time Reconnections CSW SpeedUpperLimit MedianDSRate SpeedLowerLimit PSW ddDLMReconnection
2018-01-01 2 2 14904 14404 13404 100.00 % 1
2018-01-02 2 2 14904 14404 13404 100.00 % 1
2018-01-03 2 2 14904 14404 13404 100.00 % 0
2018-01-04 6 5 14904 14404 13404 83.33 % 0
This is based on the following query:
| search PACKET_TYPE=ACCESS-ACCEPT OR PACKET_TYPE=STOP | reverse |streamstats current=f Last(_time) as Last_Time |reverse | eval TimeBetweenSession = abs(_time-Last_Time) | bucket span=1d _time | eval ReconnectionType = if(TimeBetweenSession >= $dlmsecmin$ AND TimeBetweenSession <= $dlmsecmax$, "DLM Related Resync", ReconnectionType) | eventstats median(DSL_DSRATE) AS M by _time | eval FixedLogicFlag=if(M<15000, 1, 0) |eval ReportError = if(isnull(DSL_DSRATE) OR DSL_DSRATE="", "True", "False") | eval SRU = if(FixedLogicFlag == 1,M + 500,M *1.03) | eval SRL = if(FixedLogicFlag == 1,M -1000,M *0.92) | stats first(ReportError) AS ReportError first(FixedLogicFlag) AS FixedLogicFlag count(DSL_DSRATE) AS Reconnections count(eval( ReconnectionType == "DLM Related Resync")) AS ddDLMReconnection first(SRU) as SpeedUpperLimit median(DSL_DSRATE) AS MedianDSRate first(SRL) as SpeedLowerLimit count(eval(DSL_DSRATE>=SRL AND DSL_DSRATE<= SRU)) AS CSW by _time | eval PSW = (CSW/Reconnections) * 100 |eval Logic Outcome = if(ReportError == "True", "Inconclusive (Reporting Error)", if(Reconnections>=10,if(PSW>82, "Inconclusive", "Truckroll"),"Inconclusive(Low Reauths)")) | table _time Reconnections CSW SpeedUpperLimit MedianDSRate SpeedLowerLimit PSW "Logic Outcome" ddDLMReconnection
... | eventstats median(field) as median by condition | eval median = case(condition="true", median)
The eventstats will calculate the median for true and the median for false, the eval will only keep the value for true and unset the other values.