Solved: How to do I combine my two similar searches for my...

joydeep741 · ‎12-11-2015

I am post processing my dashboard.
I have two searches and I wish to club them into one:

1) index=ABC sourcetype=XYZ | timechart count by websphere_clone_id limit=0

2) index=ABC sourcetype=XYZ HTTPstatus=5* | timechart count by websphere_clone_id limit=0

What condition should I put after the timechart to filter out results with HTTPstatus=5* ? Or is there any other way all together?

sundareshr · ‎12-11-2015

Try this

index=ABC ... | eval h=if(HTTPstatus=5*, 1, 0) | timechart count as total, count(h) as h5 by websphere_clone_id limit=0

woodcock · ‎12-11-2015

Like this:

index=ABC sourcetype=XYZ | timechart count AS total count(eval(like(HTTPstatus, "5%"))) AS h5 BY websphere_clone_id limit=0

sundareshr · ‎12-11-2015

Try this

index=ABC ... | eval h=if(HTTPstatus=5*, 1, 0) | timechart count as total, count(h) as h5 by websphere_clone_id limit=0

How to do I combine my two similar searches for my post process dashboard?