I have 2 queries!
Query 1: Find top 10 API using top command
eg :
index="some_index" "abc.def.operation"=* | rename "abc.def.operation" as Operation | top limit=10 Operation
Query 2: Find peak hour and the response time of each API
eg :
index="some_index" "abc.def.operation"=API_NAME |timechart span="1h" avg("abc.def.responseTime") as ResTime, count by index| rename "ResTime: some_index" as avg_res_time, "count: some_index" as NumberOfOccurence | sort - NumberOfOccurence | head 1 | eval avg_res_time=(round(avg_res_time,2)) | eval _time=strftime(_time, "%m/%d/%y %I:%M") | rename avg_res_time as AverageResponseTime(ms), _time as "PeakTime" | eval API=tostring("API_NAME ") | table API PeakTime NumberOfOccurence AverageResponseTime(ms)
The above queries are working fine. But, I have to change the API_NAME every time when I get the result.
When I tried to map the query 1 with query 2
index="some_index" | rename "abc.def.operation" as Operation | top limit=4 Operation| map search="search index="some_index" "abc.def.operation"=$Operation$ |timechart span="1m" avg("abc.def.responseTime") as ResTime, count by index| rename "ResTime: some_index" as avg_res_time, "count: some_index" as NumberOfOccurence | sort - NumberOfOccurence | head 1 | eval avg_res_time=(round(avg_res_time,2)) | eval _time=strftime(_time, "%m/%d/%y %I:%M") | rename avg_res_time as AverageResponseTime(ms), _time as "PeakTime" | eval API=tostring("$Operation$") | table API PeakTime NumberOfOccurence AverageResponseTime(ms)"
I am getting error Unable to run query ( Whole SUBQUERY ) .
I tried a lot, but no luck. I will be grateful for any help.
... View more