I have a question about constants and timechart/chart/stats
I have a search like this
sourcetype="syslog" | ... | eval target = 100 | eval range=case( (date_hour>=3 AND date_hour<=4), "in", (date_hour<3 OR date_hour>4), "out" ) | stats count by range
I need to be able to add a | append
such that i can print the difference.
Difference = 100 - "in" - "out"
Any ideas on how stats works in the context of deducting two values gathered over time from a constant and displaying it on the exact same time chart ?
well, this should work. Create three counts (c, IN and OUT) in the stats function, and just eval
the difference from the constant after the stats
.
sourcetype=syslog |...
| eval range = if(date_hour >= 3 OR date_hour <= 4, "in", "out")
| stats c c(eval(range="in")) as IN c(eval(range="out")) as OUT
| eval Difference = 100 - c
/K
well, this should work. Create three counts (c, IN and OUT) in the stats function, and just eval
the difference from the constant after the stats
.
sourcetype=syslog |...
| eval range = if(date_hour >= 3 OR date_hour <= 4, "in", "out")
| stats c c(eval(range="in")) as IN c(eval(range="out")) as OUT
| eval Difference = 100 - c
/K
Hi, What if its not a constant like 100.
What if its read from a an inputlookup like so
| inputlookup constantTable | where OrgId=100 | field CONSTANT
CONSTANT = 100
How do I incorporate an appendpipe into this without losing "in" and "out" ?
Any help would be appreciated.
And for timechart / chart its as simple as
sourcetype="syslog" | ... | eval target = 100 | eval range=case( (date_hour>=3 AND date_hour<=4), "in", (date_hour<3 OR date_hour>4), "out" ) | timechart count by range | eval Difference=100-in-out