Hello everybody,
I'm trying to set up a traffic light circuit. I'm searching for two failures. "12345" & "54321".
Immediately if failure "12345" occurs -> range should be "elevated" and then the traffic light should change to orange and if failure "54321" occurs -> range should change to "severe" and traffic light is changing to red. The traffic light circuit is working with some java scripts and a SingleValue visualization. The only problem is, that my xml script is not working.
By now my rangemap-line: ... | rangemap field=failure default=low elevated=12345-12345 severe=54321-54321
The command could also be like: ** "If count of failure appearance > 1, then change range to..."** and the traffic light changes in real-time.
I hope that I described it clear to you! Thank you very much for your help!
Best Regards!
Here is the deal - a lot of visualizations are based on the "range" field - which is simply the default output of the rangemap command. But you don't have to use the rangemap command - you can calculate the value of the range field however you want. Also, to drive a single value panel, it is best to have a search that yields only a single result (line) with 2 fields - the range and the value that you want to display.
So you could do this:
yoursearchhere
| stats values(failure) as failure_group
| eval range = case(failure_group==54321,"severe",
failure_group==12345,"elevated",
1==1,"low")
How this search works: since you don't care how many times the failure has happened, there is no need to count them. Using the values function of stats returns just a single result - a sorted list of the failures that appeared in the search. The case function tests to see if each failure appears - if it appears, then the range value is set. Only the first true comparison applies, so if 54321 appears, the value will be set to "severe" and we will not check (or care) to see if a 12345 also appeared. The 1==1
is used for the default condition, since it is always true.
Now, the above search should work great for a scheduled alert - each time the search runs, it produces a single result that is the "worst thing that happened" during the time interval of the search. But if you are running a true realtime alert, you could simply do this
yoursearchhere
| eval range = case(failure==54321,"severe",
failure==12345,"elevated",
1==1,"low")
| fields failure range
Now the value of the range field will fluctuate as each event (that matches the search) is received.
Here is the deal - a lot of visualizations are based on the "range" field - which is simply the default output of the rangemap command. But you don't have to use the rangemap command - you can calculate the value of the range field however you want. Also, to drive a single value panel, it is best to have a search that yields only a single result (line) with 2 fields - the range and the value that you want to display.
So you could do this:
yoursearchhere
| stats values(failure) as failure_group
| eval range = case(failure_group==54321,"severe",
failure_group==12345,"elevated",
1==1,"low")
How this search works: since you don't care how many times the failure has happened, there is no need to count them. Using the values function of stats returns just a single result - a sorted list of the failures that appeared in the search. The case function tests to see if each failure appears - if it appears, then the range value is set. Only the first true comparison applies, so if 54321 appears, the value will be set to "severe" and we will not check (or care) to see if a 12345 also appeared. The 1==1
is used for the default condition, since it is always true.
Now, the above search should work great for a scheduled alert - each time the search runs, it produces a single result that is the "worst thing that happened" during the time interval of the search. But if you are running a true realtime alert, you could simply do this
yoursearchhere
| eval range = case(failure==54321,"severe",
failure==12345,"elevated",
1==1,"low")
| fields failure range
Now the value of the range field will fluctuate as each event (that matches the search) is received.
Dear Iguinn, thank you very much for your response!
Sorry, I forgot to mention, that there are many different failures, circa 30 units.
For example, I have the failures 1, 2, 3, 4, 5 and 6. Now, if the search finds failure "1", then the range should change to "severe", if it finds failure "2", then the range should change to "elevated" and if it finds 3 or 4 or 5 or 6, then the range should change to "low".
In addition to that, if failure "1" appears, the range should change to "severe", no matter if failure "2" or the other failures appear.
And if failure "2" appeared first, and failure "1" appears afterwards, then it should change from "elevated" to "severe".
The same applies if there were only the failures 3 or 4 or 5 or 6 (="low") and then failure "1" (="severe") or "2" (="elevated") appears.
Is it possible to do that?
Thanks in advance!
Best regards!
Ok, I found the solution: Don't forget to add "" to your failure codes!
index="..."
| stats values(failure) as failure_group
| eval range = case(failure_group=="1","severe",failure_group=="2","elevated",1==1,"low")
| table range
Now it's working fine for me!
Thank you again and best regards!