I have a large list of data.  I want to only see lines that include certain words.  ie would be: Restart.  I want to see all mins that are spent to restart a product.  I want to create categories for certain words sum the the mins and have it in a pie chart.  So the line item may say...restarted>RESTARTED>re started> etc.  I want to captured the information in one section of the pie.  I can do a google hangout if anyone would like to work with me on this.

HI @pglover12,

you have to identify the words to use for data classification and use them, e.g.:

error: error, panic, critical

authentication: login, logout, logfail


| eval type=case(searchmatch("error","error", searchmatch("panic","error", searchmatch("critical","error", searchmatch("login","authentication", searchmatch("logout","authentication",searchmatch("logfail","authentication")
| stats count BY type

use this search as an approach for your searches.



If you events do not include a duration, you'll need to calculate one from a start and end event. For example:

Mar 13 00:23:00 host1 food: Restarted.
Mar 13 00:15:00 host1 food: Restarting...

where host=host1 and process=food.

host=* process=* Restarting Restarted
| transaction host process startswith=Restarting endswith=Restarted
| eval duration_mins=duration / 60
| eval category=host.":".process
| stats sum(duration_mins) by category

You can include multiple variations on start and end indicators.

The transaction command doesn't necessarily scale well, but a more detailed example of your source data would be required to provide a more scalable solution.

