Hi,
eval total_packet=if(match(Stats_Name, "Pre-Policy"), SUM_of_Bytes, null())
You are creating a new field called total_packet. The value of the field is conditioned to the field stats_name.
If the field stats_name is equal to Pre-policy, the values of the new field total_packet will be equal to SUM_of_Bytes and if not it will be null.
eval packet_drop=if(match(Stats_Name, "Drops"), SUM_of_Bytes, null())
You are creating a new field called packet_drop. The value of the field is conditioned to the field stats_name.
If the field stats_name is equal to Drops, the values of the new field total_packet will be equal to SUM_of_Bytes and if not it will be null.
streamstats window=2 values(total_packet) as total, values(packet_drop) as dropVal by NodeName
this command will create two new fields for the last 2 events seen in a streaming manner by nodename.
total which is the values of the new fields total_packet
dropval which is the values of the new fields packet_drop
eg:
Consider the nodename as your clientIP
Consider total_packet as bytes
consider total as ASimpleSumOfBytes
|search dropVal > 0
You are filtering results with value greater than 0 of the field dropval
eval drop_perc=round((dropVal/total)*100,2)
Calculating the percentage of drop packets and adding the value in a new field called drop_perc.
bin span=30m _time
You are searching of periods of 30 min.
Meaning if you ran this search for the last 4 hours, you will be calculating the above fields per 30 min meaning you will have 8 results. ( 8 * 30min = 4 hours)
| chart avg(drop_perc) as "Drop %" by NodeName
Final result: a chart with the X-axis being the average of the percentage field created above drop_perc and the Y-axis the Nodename.
I had this will help you.
