Hello Guys,
What I'm trying to achieve is that show all the "NOT OKAY" field value from the stats.
There's a conflict to my "OKAY" and "NOT OKAY" values.
Can anyone guide me on how to show all the "NOT OKAY" to the summary field?
Tried replacing the case with ~ | eval z=if((y=1 OR swapUsedPct1=1 OR CommandCount1=1),"NOT OKAY","OKAY")
but I'm getting the same result.
Here's my Search:
index=os host=local*
| multikv fields swapUsedPct
| eval swapUsedPct1=if(swapUsedPct>=10,1,0)
| append [search index=os host=local* source=ps
| multikv
| search S=Z PID=* COMMAND=*
| eventstats dc(PID) AS CommandCount by host
| eval CommandCount1=if(CommandCount>=10,1,0)]
| append [search index=os host=local* source=ps
| multikv
| rex field=ELAPSED "(?<daytrend>(\d+\-?))"
| eval daytrend=replace (daytrend,"-","")
| eval daytrend=tonumber(trim(daytrend))
| eval x=(182-daytrend)
| eval y=if(x<=1,1,0)]
| eval summary = case(y=1 OR swapUsedPct1=1 OR CommandCount1=1, "NOT OKAY", (y=0 OR swapUsedPct1=0 OR CommandCount1=0), "OKAY", (y=2 OR swapUsedPct1=2 OR CommandCount1=2), "NULL")
| stats latest(summary) AS Status BY host
| sort + Status
P.S.
Yep, I know my search can still be optimized 🙂
Thank you kindly!
I suspect there is nothing correlating the three searches to each other. Consider replacing the append
commands with join host
. This is less efficient, but may work better.
I suspect there is nothing correlating the three searches to each other. Consider replacing the append
commands with join host
. This is less efficient, but may work better.
yep, your suspicion is spot on! Thank you!
Please accept the answer.
Your code is doing exactly what it ought to, as far as I can tell. This code generates all 27 possible conditions for test purposes
| makeresults
| eval y = "0 1 2" | makemv y | mvexpand y
| eval swapUsedPct1 = "0 1 2" | makemv swapUsedPct1 | mvexpand swapUsedPct1
| eval CommandCount1= "0 1 2" | makemv CommandCount1 | mvexpand CommandCount1
| sort y swapUsedPct1 CommandCount1
| streamstats count as RecNo
| table RecNo y swapUsedPct1 CommandCount1
Your case statement processes the above output
| eval summary = case(y=1 OR swapUsedPct1=1 OR CommandCount1=1, "NOT OKAY", (y=0 OR swapUsedPct1=0 OR CommandCount1=0), "OKAY", (y=2 OR swapUsedPct1=2 OR CommandCount1=2), "NULL")
resulting in
RecNo y swapUsedPct1 CommandCount1 summary
1 0 0 0 OKAY
2 0 0 1 NOT OKAY
3 0 0 2 OKAY
4 0 1 0 NOT OKAY
5 0 1 1 NOT OKAY
6 0 1 2 NOT OKAY
7 0 2 0 OKAY
8 0 2 1 NOT OKAY
9 0 2 2 OKAY
10 1 0 0 NOT OKAY
11 1 0 1 NOT OKAY
12 1 0 2 NOT OKAY
13 1 1 0 NOT OKAY
14 1 1 1 NOT OKAY
15 1 1 2 NOT OKAY
16 1 2 0 NOT OKAY
17 1 2 1 NOT OKAY
18 1 2 2 NOT OKAY
19 2 0 0 OKAY
20 2 0 1 NOT OKAY
21 2 0 2 OKAY
22 2 1 0 NOT OKAY
23 2 1 1 NOT OKAY
24 2 1 2 NOT OKAY
25 2 2 0 OKAY
26 2 2 1 NOT OKAY
27 2 2 2 NULL
Which results do you find to be in error?
Updated test code to look cleaner and simpler.
hello DalJeanis and thank you for your answer. Yes, the search is fine..if I'll break down the searches into three (removing the | append).
My error is that swapUsedPct's result is only appearing for some reason and I think the append is the cause.
So you're saying swapUsedPct has a value and the other two fields are null?
Have you tried this case statement? case(y=1 OR swapUsedPct1=1 OR CommandCount1=1, "NOT OKAY", (y=0 AND swapUsedPct1=0 AND CommandCount1=0), "OKAY", 1=1, "NULL")
I mean, swapUsedPct1, CommandCount1, and y have values but my Status table only shows that swapUsedPct1 got the right values and CommandCount1 and y's values were not correct.
But if I will break down the searches into three, I am getting the right values for everything.
swapUsedPct1
index=os host=local*
| multikv fields swapUsedPct
| eval swapUsedPct1=if(swapUsedPct>=10,"NOT OKAY","OKAY")
| stats latest(swapUsedPct1) AS swapUsedPct1 by host
CommandCount1
index=os host=local* source=ps
| multikv
| search S=Z PID=* COMMAND=*
| eventstats dc(PID) AS CommandCount by host
| eval CommandCount1=if(CommandCount>=10,"NOT OKAY","OKAY")
| stats latest(CommandCount1) AS CommandCount1 by host
y
index=os host=local* source=ps
| multikv
| rex field=ELAPSED "(?
| eval daytrend=replace (daytrend,"-","")
| eval daytrend=tonumber(trim(daytrend))
| eval x=(182-daytrend)
| eval y=if(x<=1,"NOT OKAY","OKAY")
| stats latest(y) AS y by host
This searches are good on their own. But if I will use eval case
and consolidate all of these three searches, the result is not the same. There's actually no NULL value on this one. Just made that up to fill up the case
.
What do you mean by 'a conflict to my "OKAY" and "NOT OKAY" values' ?
I'm showing the Status by host, Status consists of swapUsedPct, CommandCount, and y.
If swapUsedPct is NOT OKAY, CommandCount is OKAY, and y is OKAY, the result of the Status
should be NOT OKAY regardless of the OKAY values on other fields.
Have you verified the values of swapUsedPct1, CommandCount1, and y>?
yes and my current search is not producing the result that I'm expecting. Originally, these are 3 searches consolidated into 1 search.