Hi all,
I am attempting to count the number of Installs of certain code levels for field machines. Essentially I am extracting this information from some logs, and then I am listing all the code levels by machine serial, this gives me the code level history of a machine. Where I am struggling is being able to list current installs of the code levels, so this would include counts of 0 since not all code levels are currently being used, however I feel that my current approach isn't appropriate , I've included some samples below.
First part of Search-
Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| stats dc(Machine_Serial) as installs sum(time_on_machine) by code_level
Results-
Machine_Serial code_level time_on_machine
75abc 1.1 365
1.3 20
1.4 50
75dfe 1.1 10
1.3 15
1.5 7
75xyz 1.3 25
1.4 50
As mentioned above from this search I can see a historical view of the code history for machines as well as the time it spent on a machine. Essentially only the latest code level ( the one at the bottom of each group I.E the largest one ) would count as an install so for the first group ( serial 75abc ) code level 1.1 would be a current install, but 1.3 and 1.4 would not count towards installs on their respective level, however I do take their time_on_machine field and add that to the rest, so it would look something like this-
Desired Results-
code_level current_installs time_on_machine_sum
1.1 0 375
1.3 0 60
1.4 2 100
1.5 1 7
Is there any way I can achieve the current_installs portion of this search? Thank you in advance, and please let me know if something was not clear.
Give this a try
Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| eval latest_code_level=mvindex(code_level,-1)
| eval latest_time_on_machine=mvindex(time_on_machine,-1)
| eval temp=mvzip(code_level,time_on_machine,"#") | fields - code_level, time_on_machine | mvexpand temp | rex field=temp "(?<code_level>.+)#(?<time_on_machine>.+)" | fields - temp
| eval current_install=if(code_level=latest_code_level,1,0)
| stats sum(current_install) as current_install sum(time_on_machine) as time_on_machine by code_level
Give this a try
Search.......| stats values(code_level) as code_level list(time_on_machine) as time_on_machine by Machine_Serial
| eval latest_code_level=mvindex(code_level,-1)
| eval latest_time_on_machine=mvindex(time_on_machine,-1)
| eval temp=mvzip(code_level,time_on_machine,"#") | fields - code_level, time_on_machine | mvexpand temp | rex field=temp "(?<code_level>.+)#(?<time_on_machine>.+)" | fields - temp
| eval current_install=if(code_level=latest_code_level,1,0)
| stats sum(current_install) as current_install sum(time_on_machine) as time_on_machine by code_level
Worked Perfectly thank you!
P.S. one small thing there is a "(" missing after mvindex on the 3rd line
Thanks for noticing the type. Just corrected it.
How about this?
Search.......| stats dc(Machine_Serial) as current_installs sum(time_on_machine) as time_on_machine_sum by code_level
Hello sundareshr,
I've tried that, but this will return a count that includes code levels that are no longer on that machine so where I should get a 0 for example, I'll end up getting a value of 1 or more. Still thank you