Hi,
My intention is to measure the 2 hour moving average of the events with X201 reason code ratio compared to the total of info events logged per country:
index="logger" "Log Info"
| bin _time span=1h
| eval _raw=replace(_raw,"\\\\\"","\"")
| rex "\"RawRequest\":\"(?<raw_request>.+)\"}$"
| eval json= raw_request
| spath input=json output=country_code path=customer.billingAddress.countryCode
| spath input=json output=reason_code path=history{}.reasonCode
| where country_code = "USA"
| eval error=if(like(reason_code,"%X201%"),1,0)
| stats count as total sum(error) as errors by _time, country_code
| trendline sma2(errors) as 2_hours_error_sma sma2(total) as 2_hours_total_sma
| table _time, country_code, total, errors, 2_hours_error_sma, 2_hours_total_sma
In there I added the where country_code="USA" to double check that the results were ok and they are, but if I remove that clause the results get messed up and I'm struggling to understand why as I would expect the data to be grouped properly.
N.B The table clause is just for purposing of checking the data, eventually my idea would be to use it for detecting spikes of the ratio of errors/total but that would be a further step
EDIT: Turns out streamstats honours the split field (and in conjuction to global=f I get what I expect), I leave it here for reference and just in case someone proves me wrong but I think this works. I found it in the answer to 417618/how-to-search-and-alert-on-anomaliesspikes-in-mult (can't paste links, but that is a great answer)
index="logger" "Log Info"
| bin _time span=1h
| eval _raw=replace(_raw,"\\\\\"","\"")
| rex "\"RawRequest\":\"(?<raw_request>.+)\"}$"
| eval json= raw_request
| spath input=json output=country_code path=customer.billingAddress.countryCode
| spath input=json output=reason_code path=history{}.reasonCode
| eval error=if(like(reason_code,"%X201%"),1,0)
| stats count as total sum(error) as errors by _time, country_code
| streamstats window=2 mean(total) as sma2_total mean(errors) as sma2_errors by country_code global=false
| table _time, country_code, total, errors, sma2_total, sma2_errors
... View more