Hi,
I've got a machine splitted in two unit A and B who gave me their state of preparation and their Failure level. I wanted to count the number of failure per unit when the unit is ready.
So, i created a transaction to group my event when my machine is ready and tried to count the number of time my machine wasn't OK, but every query i tried return me the number of event and not the number of time the string i was looking for occurs.
This is my base search :
(index="index1") Equipement="Machine1" (New_State=ready OR New_State=Not_ready OR id ="*Machine1_B_FAILURE_LEVEL" OR id ="*Machine_A_FAILURE_LEVEL") | transaction Equipement host startswith="New_State="Ready" endswith="New_State=Not_ready"
And I tried :
stats count by Equipement, New_State limit=100
And :
|eval Failure_machine1_A=if(searchmatch(".*machine1_A_FAILURE_LEVEL") AND (searchmatch("Not_ok"),1,Failure_machine1_A) | | transaction Equipement host startswith="New_State=Ready" endswith="New_State=Not_ready"
| stats sum(Failure_machine1_A) by Equipement
also :
| transaction Equipement host startswith="New_State=Ready" endswith="New_State=Not_ready"
|eval Failure_machine1_A=if(searchmatch(".*machine1_A_FAILURE_LEVEL") AND (searchmatch("Not_ok"),1,Failure_machine1_A) | stats sum(Failure_machine1_A) by Equipement
And :
|eval Failure_machine1_A=if((match(id,".*Machine1_A_FAILURE_LEVEL") AND match(_raw, "NOT_OK" )),1,Failure_machine1_A )| transaction Equipement host startswith="New_State=Ready" endswith="New_State=Not_Ready"|
stats count(Failure_machine1_A) by Equipement
And the last try :
|eval Failure_machine1_A=if(like(id,"*Machine1_A_FAILURE_LEVEL") AND New_State=Not_ok,1,Failure_machine1_A )| transaction Equipement host startswith="New_State=Ready endswith="New_State=Not_Ready"|
stats count(Failure_machine1_A) by Equipement
I also tried to use some subsearch without success.
As a beginner, I don't know what I can try next or if I use the right method to achieve my goal.
Thank you in advance for your answers and sorry for my english.
... View more