Nevermind @ITWhisperer beat me too it!
There is probably a couple ways of doing this but this seemed to work for me on my local
<base_search>
| eval
time=strptime(TimeStamp, "%Y-%m-%d %H:%M:%S.%Q")
| appendpipe
[
| bucket span=1m time
| stats
sum(SumTotalErrors) as sumErrors
by time
| eval
bucket_type="1 minute"
]
| appendpipe
[
| bucket span=2m time
| stats
sum(SumTotalErrors) as sumErrors
by time
| eval
bucket_type="2 minutes"
]
| appendpipe
[
| bucket span=3m time
| stats
sum(SumTotalErrors) as sumErrors
by time
| eval
bucket_type="3 minutes"
]
| appendpipe
[
| bucket span=5m time
| stats
sum(SumTotalErrors) as sumErrors
by time
| eval
bucket_type="5 minutes"
]
| appendpipe
[
| bucket span=1h time
| stats
sum(SumTotalErrors) as sumErrors
by time
| eval
bucket_type="1 hour"
]
| stats
count as sample_size,
avg(sumErrors) as avg_sumErrors
by bucket_type
| eval
"Average Error Rate (Human Readable)"=round(avg_sumErrors, 0)." Errors per ".'bucket_type'
| addinfo
| eval
search_time_window_sampled=tostring('info_max_time'-'info_min_time', "duration")
| fields - info_*_time, info_sid
| sort 0 +sample_size
Not quite a loop but I am curious about this so I will keep trying out different things.
Output should look something like this
As for the dashboard, you can set up an input token (dropdown) to allow the user to select a span and use that token on the
| bucket span=$span$ time
then do your stats command.
Nevermind @ITWhisperer beat me too it!
There is probably a couple ways of doing this but this seemed to work for me on my local
<base_search>
| eval
time=strptime(TimeStamp, "%Y-%m-%d %H:%M:%S.%Q")
| appendpipe
[
| bucket span=1m time
| stats
sum(SumTotalErrors) as sumErrors
by time
| eval
bucket_type="1 minute"
]
| appendpipe
[
| bucket span=2m time
| stats
sum(SumTotalErrors) as sumErrors
by time
| eval
bucket_type="2 minutes"
]
| appendpipe
[
| bucket span=3m time
| stats
sum(SumTotalErrors) as sumErrors
by time
| eval
bucket_type="3 minutes"
]
| appendpipe
[
| bucket span=5m time
| stats
sum(SumTotalErrors) as sumErrors
by time
| eval
bucket_type="5 minutes"
]
| appendpipe
[
| bucket span=1h time
| stats
sum(SumTotalErrors) as sumErrors
by time
| eval
bucket_type="1 hour"
]
| stats
count as sample_size,
avg(sumErrors) as avg_sumErrors
by bucket_type
| eval
"Average Error Rate (Human Readable)"=round(avg_sumErrors, 0)." Errors per ".'bucket_type'
| addinfo
| eval
search_time_window_sampled=tostring('info_max_time'-'info_min_time', "duration")
| fields - info_*_time, info_sid
| sort 0 +sample_size
Not quite a loop but I am curious about this so I will keep trying out different things.
Output should look something like this
As for the dashboard, you can set up an input token (dropdown) to allow the user to select a span and use that token on the
| bucket span=$span$ time
then do your stats command.
