I have a large list of data. I want to only see lines that include certain words. ie would be: Restart. I want to see all mins that are spent to restart a product. I want to create categories for certain words sum the the mins and have it in a pie chart. So the line item may say...restarted>RESTARTED>re started> etc. I want to captured the information in one section of the pie. I can do a google hangout if anyone would like to work with me on this.
HI @pglover12,
you have to identify the words to use for data classification and use them, e.g.:
error: error, panic, critical
authentication: login, logout, logfail
etc...
your-search
| eval type=case(searchmatch("error","error", searchmatch("panic","error", searchmatch("critical","error", searchmatch("login","authentication", searchmatch("logout","authentication",searchmatch("logfail","authentication")
| stats count BY type
use this search as an approach for your searches.
Ciao.
Giuseppe
If you events do not include a duration, you'll need to calculate one from a start and end event. For example:
Mar 13 00:23:00 host1 food: Restarted.
Mar 13 00:15:00 host1 food: Restarting...
where host=host1 and process=food.
host=* process=* Restarting Restarted
| transaction host process startswith=Restarting endswith=Restarted
| eval duration_mins=duration / 60
| eval category=host.":".process
| stats sum(duration_mins) by category
You can include multiple variations on start and end indicators.
The transaction command doesn't necessarily scale well, but a more detailed example of your source data would be required to provide a more scalable solution.