topic Re: Calculate number of events between time intervels in Getting Data In

Calculate number of events between time intervels

marellasunil — Mon, 20 May 2013 16:59:57 GMT

Hi,

I would like ti calculate number of events between time in my search.
There are 2 status, exceed & within in my query.
I want to calculate the number of "exceed" events between 11:45 to 1:45 daily.
My query has to run between 22:30 to next day 22:30 to count the total events.

Re: Calculate number of events between time intervels

kristian_kolb — Mon, 20 May 2013 19:11:10 GMT

Not 100% sure that I understand your reporting needs;
- the total number of events per 24 hours, counting from 22:30 each day.
- Also, you want a the number of events between 11:45 - 13:45 (assumption) where status=exceed

If you want the 'exceed' events between 11:45 and 01:45 you should change the schedule so that the search runs outside that timeframe, e.g. at 02:00.

So to the answer;

sourcetype = XXX earliest=-1d@d+22h+30m latest=@d+22h+30m 
| stats c as Total
| appendcols 
    [search sourcetype=XXX earliest=-1d@d+11h+45m latest=@d+13h+45m status=exceeded 
    | stats c as "Number of exceeded during my loong lunch"]

Added some indentation so that it's easier to see what happens in the appended search. Set the search to run at 23.00 every day.

As you might guess, the searches operate independently of each other, and the result will look something like;

Total     Number exceeded during my looong lunch
-----     --------------------------------------
124621    9473

Hope this helps,

Kristian

Re: Calculate number of events between time intervels

marellasunil — Mon, 20 May 2013 20:10:29 GMT

Hi Kristian, Thank you for the answer, 🙂 It worked, and also I wrote query in different way, and this also worked. 🙂 .. | count(eval(Report="exceed" and (StartTime>"00:00:00.000" and StartTime<"01:45:00.000") OR StartTime>"23:45:00.000")) as "exceeded count".

StartTime field already exist in the logs 😜