topic Re: Can you help on 2 similar requests that don't have the same results? in Dashboards & Visualizations

Can you help on 2 similar requests that don't have the same results?

jip31 — Thu, 03 Jan 2019 08:11:21 GMT

I use two requests that are almost the same.

First request :

eventtype=Flag OR eventtype=Model 
| rex "Model=(?<model>.*)" 
| stats values(model) as Model by host  
| stats dc(host) as host by Model 
| sort -model limit=5

This request doesn't return values because the eventtype=flag,which corresponds to index="windows-fr" sourcetype="tools:flags" filename="TOTO*" is not respected

Second request

   eventtype=Flag OR eventtype=NATCO
    | eval NATCO=if(key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\ConfigurationCountry",data, null)
    | stats values(NATCO) as NATCO by host 
    | stats dc(host) as host by NATCO | sort -NATCO limit=5

I have a value for these request even if I also use the eventtype=Flag

Normally it should be also empty

what is the problem please?

Re: Can you help on 2 similar requests that don't have the same results?

raphgoncalves — Thu, 03 Jan 2019 09:17:19 GMT

eventtype=Flag OR eventtype=NATCO

If eventtype=NATCO returns events, it should be normal that you have some results, shouldn't it ?

Re: Can you help on 2 similar requests that don't have the same results?

jip31 — Thu, 03 Jan 2019 09:55:23 GMT

NO
eventtype returns also results but
the stats(values) is used for doing a match between the two eventtype
So if eventtype= Flag is KO i have to have no results in others eventtype

Re: Can you help on 2 similar requests that don't have the same results?

andreacorvini — Thu, 03 Jan 2019 16:50:45 GMT

In the second query if you use only "eventtype=NATCO" (instead of "eventtype=Flag OR eventtype=NATCO") do you have the same result?

Re: Can you help on 2 similar requests that don't have the same results?

jip31 — Fri, 04 Jan 2019 06:31:24 GMT

Yes I have the same result

Re: Can you help on 2 similar requests that don't have the same results?

jip31 — Fri, 04 Jan 2019 06:39:00 GMT

in fact I want to have a result if the condition mentionned in eventtype=Flag
(index="windows-fr" sourcetype="tools:flags" filename="TOTO*)" is OK
If the condition is KO I dont want results

Re: Can you help on 2 similar requests that don't have the same results?

woodcock — Thu, 10 Jan 2019 01:01:36 GMT

Try this instead for your first search (which has several mistakes):

index=* AND (eventtype=Flag OR eventtype=Model)
| rex "Model=(?<model>.*)" 
| eval model=coalesce(model, "WAS_NULL")
| stats dc(host) AS host by Model 
| sort 5 -Model