Hello,
I am doing a search for selected timerange 27th to 28th
index=abc... | bucket _time span=1d|eval Time=strftime(_time, "%m-%d-%Y ")| chart count over id by Time usenull=f useother=f
OUTPUT:
id 01-27-2018 01-28-2018
aaa 500 600
bbb 400 300
I want the average of each id per minute for example avg_permin=500/1440=0.34. As there are 1440 minutes per day.
I am trying to use rename for the date but I dont think that will work.
Thanks
You can use foreach command like this
index=abc... | bucket _time span=1d|eval Time=strftime(_time, "%m-%d-%Y ")| chart count over id by Time usenull=f useother=f
| foreach * [ eval "<<FIELD>>"=if("<<FIELD>>"!=id, round('<<FIELD>>'/1440,2), '<<FIELD>>')]
Try this:
index=<your_index>
| bucket _time span=1d
| eval Time=strftime(_time, "%m-%d-%Y ")
| chart count over id by Time usenull=f useother=f
| foreach *
[ eval "<<FIELD>>"=if(NOT "<<FIELD>>"="id",round('<<FIELD>>'/1440,2), '<<FIELD>>')]
let me know if this helps!
I tried this but the result shows no values for the field id
I am sorry but what will go in place of FIELD in my case and what is "<>"!=id ?
Nothing would go in place of FIELD
or <<FIELD>>
. You should use the code literally as it's written. You'll take the current search you have and then paste at the end of it:
| foreach * [ eval "<<FIELD>>"=if("<<FIELD>>"!=id, round('<<FIELD>>'/1440,2), '<<FIELD>>')]
The portion of the code that says "<<FIELD>>"!=id
is checking which field the code is currently using. As you'd like calculations performed on all fields except the one named id
, the code has to check to see if it's currently evaluating the id
field, and if it is then it should not try to divide the id
by 1440.
Thank you but I tried pasting the same thing and ran the search,I dont see any change in the results it is the same as before.Where will the values for the eval expression move to ?
It'll overwrite the fields that have been created for Time field values. The eval should divide all values by 1440 and round it to 2 decimal places. Could you paste the exact search you used? You can mask any sensitive data in the query.
This is exactly the same search
index=abc type=" request" id=va* | bucket _time span=1d|eval Time=strftime(_time, "%m-%d-%Y ")| chart count over id by Time | foreach * [ eval "<>"=if("<>"!=id, round('<>'/1440,2), '<>')]