ComputerName Events Rank
ABC 100 1
BCD 200 2
CDE 300 3
i need to create Rank by Events
my intention is highest number of event has to hold 1 rank then following and if events are same then rank should be same
anyone is there to help on above request?
@shivareddysompalle,
Use first sort then streamstats command to calculate rank-
...|sort Events| streamstats count AS Rank
Below is using sample data-
|makeresults|eval ComputerName ="abc", Events ="200"
|append[|makeresults|eval ComputerName ="bcd", Events ="100"]
|append[|makeresults|eval ComputerName ="def", Events ="300"]|sort Events| streamstats count AS Rank
@shivareddysompalle,
Try below-
|makeresults|eval ComputerName ="abc", Events ="200"
|append[|makeresults|eval ComputerName ="bcd", Events ="100"]
|append[|makeresults|eval ComputerName ="fcd", Events ="200"]
|append[|makeresults|eval ComputerName ="def", Events ="300"]|sort - Events | streamstats current=f window=1 values(Events) as prev | eval Rank_filled=if(prev=Events,0,1) | accum Rank_filled
used same but not worked .
i can't share my query since it is organisational data .
Can you share some sample data and your query by masking confidential data.
since as per your data from question it should work.
COmputerName Countofissues
ABC 10
BCD 22
DCE 32
my query is like
eventstats dc(Computername) as Countofissues by Computername
i need to assign rank based on Countofisues . Countofissues will change dynamically by time
Try below without using above eventstats command-
...|table ComputerName Countofissues|sort - Countofissues | streamstats current=f window=1 values(Countofissues) as prev | eval Rank=if(prev=Countofissues,0,1) | accum Rank|table ComputerName Countofissues Rank
how i will get Count of issues without eventstats ?
if i use stats no issues are found
use-
stats count as Countofissues by ComputerName
even i have applied rank is same like 1 2 3
my query is below:
index="abc" source="bcd"
|eval ComputerName=upper(ComputerName)
|join ComputerName
[|savedsearch Computers_By_Product productName="DELL"]
| eval title = replace(title,"{","")
| eval title = replace(title,"}","")
| rename title as signature
| join type=left signature
[search index="abc" source="dce" earliest=1 latest=now() | stats dc(id) as IDs by signature]
| eventstats dc(DateTime) as issueCount by ComputerName
| eventstats dc(ID) as fixCount by ComputerName
|sort issueCount |streamstats current=f window=1 values(issueCount) as Prev|eval Rank_filled=if(prev=Events,0,1) | accum Rank_filled|table ComputerName issueCount Rank_filled
Try below-
index="abc" source="bcd"
|eval ComputerName=upper(ComputerName)
|join ComputerName
[|savedsearch Computers_By_Product productName="DELL"]
| eval title = replace(title,"{","")
| eval title = replace(title,"}","")
| rename title as signature
| join type=left signature
[search index="abc" source="dce" earliest=1 latest=now() | stats dc(id) as IDs by signature]
| eventstats dc(DateTime) as issueCount by ComputerName
| eventstats dc(ID) as fixCount by ComputerName
|sort 0 - issueCount |streamstats current=f window=1 values(issueCount) as Prev|eval Rank_filled=if(prev=issueCount,0,1) | accum Rank_filled|table ComputerName issueCount Rank_filled
got results like
issueCount Rank
2 1
2 2
1 3
1 4
need the rank like
issueCount Rank
2 1
2 1
1 2
1 2
@woodcock
please help on this