Dashboards & Visualizations

Filter Data

pglover12
New Member

I have a large list of data.  I want to only see lines that include certain words.  ie would be: Restart.  I want to see all mins that are spent to restart a product.  I want to create categories for certain words sum the the mins and have it in a pie chart.  So the line item may say...restarted>RESTARTED>re started> etc.  I want to captured the information in one section of the pie.  I can do a google hangout if anyone would like to work with me on this.

Labels (3)
Tags (1)
0 Karma

gcusello
Legend

HI @pglover12,

you have to identify the words to use for data classification and use them, e.g.:

error: error, panic, critical

authentication: login, logout, logfail

etc...

your-search
| eval type=case(searchmatch("error","error", searchmatch("panic","error", searchmatch("critical","error", searchmatch("login","authentication", searchmatch("logout","authentication",searchmatch("logfail","authentication")
| stats count BY type

use this search as an approach for your searches.

Ciao.

Giuseppe

0 Karma

tscroggins
Motivator

@pglover12 

If you events do not include a duration, you'll need to calculate one from a start and end event. For example:

Mar 13 00:23:00 host1 food: Restarted.
Mar 13 00:15:00 host1 food: Restarting...

where host=host1 and process=food.

host=* process=* Restarting Restarted
| transaction host process startswith=Restarting endswith=Restarted
| eval duration_mins=duration / 60
| eval category=host.":".process
| stats sum(duration_mins) by category

You can include multiple variations on start and end indicators.

The transaction command doesn't necessarily scale well, but a more detailed example of your source data would be required to provide a more scalable solution.

0 Karma