topic Re: mstats command in Getting Data In

mstats command

Shakira1 — Wed, 04 Oct 2023 07:07:43 GMT

Hi,

I have this command:

| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5

and I would like to count the host and trigger when I have less then 3 hosts.

I tired something like that:

```|stats dc(host) as c_host | where c_host > 3,``` but its not working as usual .

any idea? thanks!

Re: mstats command

ITWhisperer — Wed, 04 Oct 2023 07:41:17 GMT

It is not clear what you have actually tried and what is "not working". Please provide your full search, anonymised as necessary, and show how it is not working.

Re: mstats command

Shakira1 — Wed, 04 Oct 2023 07:43:10 GMT

this is my search:

| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5

which is working fine.

I just want to create a new alert that triggered when the host count is less then 3.

how can I do that?

Re: mstats command

ITWhisperer — Wed, 04 Oct 2023 07:46:49 GMT

If that is your search, you should be getting an error!

Is the search relevant to the count you want i.e. should the count be based on the results of a working search, or from the index, or from part of the search?

Re: mstats command

Shakira1 — Wed, 04 Oct 2023 08:08:19 GMT

not sure why you say that. but its working.

just to be clear = value1 = to some internal parameter.

index = my index.

and base on that Im getting information about the hosts .

now I just want to count how many hosts reporting, when its less then 3 I want to trigger about it.

hope its clear now.

Re: mstats command

ITWhisperer — Wed, 04 Oct 2023 08:19:47 GMT

| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host

has a missing double quote so will give you an error

Also, assuming that this is corrected, you will get a field called something like "avg(value1)"

This means that you no longer have a field called "value1" so the timechart command has no field to do an average on.

This is why the search you provided does not work.

Assuming it is the timechart table that you want to count hosts for, you could untable the chart table

| untable _time host average | stats dc(host) as c_host | where c_host < 3

Re: mstats command

Shakira1 — Wed, 04 Oct 2023 09:12:48 GMT

now I see

first I missed double quote, so you are correct - so my search is:

| mstats avg("value1") prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5

now, if I want to search by what you worth:

| mstats avg("value1") prestats=true WHERE "index"="my_index" span=10s BY host

| untable _time host average | stats dc(host) as c_host

| timechart avg("value1") span=10s useother=false BY host WHERE max in top5

| untable _time host average | stats dc(host) as c_host

Anyway, I want to use mstats function and get a count for the host.

Re: mstats command

Shakira1 — Wed, 04 Oct 2023 09:15:10 GMT

Ok, now i see and get the data.

thanks!