Hi jkat54,
the ] is the end bracket of the subsearch. In any case, I've inserted |eval last_time_ok=if(isnull(last_time_ok),"NULL",last_time_ok) but I still got the Issue. I dont' should be any syntax error becuase If I change the earliest time to get some critical events the search works fine. I ship the newest search:
*index=app_nagios sourcetype=ydms_status earliest=-1mon SERVICESTATEID:sasv03qb:
|eventstats earliest(_time) as start_period latest(_time) as end_period
|eval duration_period=end_period - start_period
|eval duration_incident=if((current_state = 2),
[search index=app_nagios sourcetype=ydms_status earliest=-1mon SERVICESTATEID:sasv03qb:
|where current_state=2 AND current_check_attempt=max_check_attempts|eval last_time_ok=if(isnull(last_time_ok),"NULL",last_time_ok) |stats count latest(last_time_critical) as last_time_critical by last_time_ok |eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|eval duration_incident=end_incident - start_incident|stats sum(duration_incident) as duration_incident|return $duration_incident],0)|eval %unavail=round(duration_incident/(duration_period)*100,2)
|eval %= round((100 - '%unavail'),2)|eval %= round((100 - '%unavail'),2)|sort %|head 1|fields %*
Please let me know any other workarounds.
Many thanks for the support.
Antonio
... View more