Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Timechart based on field value (aggregated event count) rather than number of events

flle
Path Finder
‎05-05-2012 02:03 AM

Hi,

I get events from a source which already aggregates events. Examples:

Apr 24 2012 09:59:59,event_name=FWALL: Matched By Firewall, event_count=5,src_ip=199.80.55.144,src_port=80,src_country=Hong Kong,dst_ip=192.168.1.2,dst_port=22628,dst_country=Switzerland,action=mitigate,proto=TCP

Apr 24 2012 09:59:59,event_name=PROTO: HTTP Header Section Too Long, event_count=11,src_ip=212.71.127.101,src_port=80,src_country=Switzerland,dst_ip=192.168.1.2,dst_port=52003,dst_country=Switzerland,action=monitor,proto=TCP

So for statistics on total event count I need to evaluate / sum the number in the event_count field.
So how can I timechart on event_name but evaluate the event_count field rather than the actual number of events collected?

Thanks !

Tags (1)
0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: Timechart based on field value (aggregated event count) rather than number of events

Ayn
Legend
‎05-05-2012 02:30 AM

If you want the sum of the values in the event_count field for some interval, just use the statistical function sum.

... | timechart sum(event_count) by event_name

View solution in original post

Reply