Hello, everybody!
Does anybody can help with such an easy problem as counting events in summary index?
I have a summary index populated with something like SS:
| tstats prestats=true summariesonly=false
min(CPU.CPU_Performance.cpu_load_percent),
avg(CPU.CPU_Performance.cpu_load_percent),
max(CPU.CPU_Performance.cpu_load_percent)
from datamodel=MODEL where nodename=CPU.CPU_Performance
by host, CPU.CPU_Performance.cpu_instance
| sistats
min(CPU.CPU_Performance.cpu_load_percent),
avg(CPU.CPU_Performance.cpu_load_percent),
max(CPU.CPU_Performance.cpu_load_percent)
by host, CPU.CPU_Performance.cpu_instance
| addinfo
| eval _time=info_min_time, host=upper(host)
| fields - info_sid, info_search_time, info_min_time, info_max_time
| collect index=my_summary
My SS is scheduled to run once an hour, so I every hour get 1 event for each orig_host in summary index.
Now I want to check, if all the required events are here in summary index. I expect to get count=24 events for each orig_host in summary index for each day. When I try the search:
index=my_summary | stats count by orig_host
I get all the psrsvd_ct_ values summarized giving me not what I expected. How should I change my search to count events in summary index?
Hello, can anyone help with this?
index=my_summary
| bin span=1d _time
| stats count by _time orig_host
It looks like orig_host might be a multivalue field in your summary index, with your host repeated 3.5 times. (3.5 * 24 = 84). Please can you check?
Sure my orig_host is NOT MV
How about _time
| eval b=mvcount(_time)