hello
i could collect all the data i need from log , but find it so hard how to Visualize them
here is my of my data item (event)
currprocessid: 0f7befb1-7570-4057-81a7-738d3495500a
currprocessname: 02.Timrapportering
currprocesstype: 0
eventId: error
mainprocessid: 0f7befb1-7570-4057-81a7-738d3495500a
mainprocessname: 2.Timrapportering
pageid: 00000000-0000-0000-0000-000000000000
pagename: Main Page
resourceName: HP4E105402
sessionNumber: 2746
sessionid: 547d706e-abad-46de-bd33-4848d6b37e20
stageid: cbbef370-aa9d-4283-8d7c-590a56d5e766
stagename: System Exception
when: 2019-08-14T11:56:52.0946127Z
trying to collect last top 20 item with when , main process name , and currprocesstype ,resourceName any tips how to query them
what i reached source="BP" | fields + c_time, ResourceID, mainprocessname, currprocesstype
| convert timeformat="%H:%M:%S" ctime(_time) AS c_time
| fields - _raw, c_time
Works as table in search but when i get to the dashboard and select limit top, its not working
hi @hazemfarajallah
this code in your 3rd line - | eval time =strptime(t,"%Y-%m-%d, , %H:%M:%S.%Q%Z")
gives no output for the field time, replace this with
eval time =strptime(t,"%Y-%m-%dT%H:%M:%S.%7NZ")
after that replace the earliest(when) with earliest(time) in your stats
hi @hazemfarajallah
this code in your 3rd line - | eval time =strptime(t,"%Y-%m-%d, , %H:%M:%S.%Q%Z")
gives no output for the field time, replace this with
eval time =strptime(t,"%Y-%m-%dT%H:%M:%S.%7NZ")
after that replace the earliest(when) with earliest(time) in your stats
hi @hazemfarajallah Please accept the answer if it helped you significantly resolve your issue
Absolutely,
I have little question about 1=1,
|eval Status = case (eventId="endProcess","Completed" ,eventId="error","Terminated" , 1=1,"Running" )
If the process running it shows running, but when its completed its show running and completed is there any way to overwrite the result
hi @hazemfarajallah
The issue is you are using a case statement here, so 1=1 is a 'always true' condition.
ideally you should use if here and try to assign the different status value, for example
|eval Status = if(eventId="endProcess","Completed",if(eventId="error","Terminated",if(eventId="something else","something else","deafult status")))
You have to assign a value for status for all scenarios
aha i understand is it possible to use * than without only endProcess or error?
Because the eventId can be very different from a process to another
hi @hazemfarajallah
Not clear about your question, where do you want to use *?
you can set a value in the default status quotes, this will get assigned to status if none of the if conditions match
I meant to get all eventID select * ,
so I don't have to see all eventID values.
i want to eval everything except these two case's error and completed.
ok i did this i think my group by is worng |stats earliest(time) AS startTime latest(time) AS endTime by mainprocessname,ResourceID,Status
if i leave as only by mainprocessname then i get the latest but no time stamp ... not sure where is my bug
"source="BP"
| eval t = when
| eval time =strptime(t,"%Y-%m-%dT%H:%M:%S.%7NZ") | dedup 1 sessionNumber sortby -time
| eval Status = case (eventId="endProcess","Completed" ,eventId="error","Terminated")
|stats earliest(time) AS startTime latest(time) AS endTime by mainprocessname,ResourceID,Status | eval DurationSeconds=(endTime - startTime)
| eval startTime = strftime( strptime( startTime, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d %H:%M:%S")
| eval endTime = strftime( strptime( endTime, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d %H:%M:%S")
| table startTime,endTime , mainprocessname , ResourceID,Status
| rename mainprocessname as "Process" , ResourceID as "Runtime resource",startTime as "Start time", endTime as "End time""
@hazemfarajallah - Hang on a bit 🙂
Firstly, remove all code after your stats and just confirm if the stats output is correct and as per your expectation.
for example i cannot see what is ResourceID, i can see something like resourceName.
even before you check the stats, please check whether each of the eval is giving you the expected result.
You need to debug your code almost line by line, trust me that is easier than just changing a bit of stuff here and there in a large query and hoping that things will work.
Is Status coming out as expected, what happens if you have evetId different from endprocess or error..please verify
''source="BP"
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname
|table startTime,endTime , mainprocessname
this shows this time but its not formated
here is my sample of event .
currprocessid: ae5a9eff-1c7a-48fa-acfa-e2145d06f35f
currprocessname: 04 - Ändra fakturasätt
currprocesstype: 0
eventId: startDecision
mainprocessid: ae5a9eff-1c7a-48fa-acfa-e2145d06f35f
mainprocessname: 04 - Ändra fakturasätt
pageid: 47e58161-0f42-47cc-aa94-af755a8de010
pagename: Change Invoice Type
resourceName: HP20082212
sessionNumber: 3310
sessionid: c557c373-5632-4eb7-a321-f63f73cc1c34
stageid: 33e7422a-4f28-4c41-a408-513d1d704d23
stagename: 9 siffror?
when: 2019-08-16T08:03:20.8916931Z
where is resourceid that you are using in your stats command in the above event?
And you will have to reformat the time back
|eval startTime =strftime(startTime ,"%Y-%m-%dT%H:%M:%S.%7NZ") |eval endTime=strftime(endTime,"%Y-%m-%dT%H:%M:%S.%7NZ")
Once again, what is resourceid and what about the status field like i asked before
sorry, i posted as answer,
my resourceid now resouceName , status is from eval my event id, but having problem with the group by due i cant show the status in the table
`source="BP"
|eval Status = case (eventId="endProcess","Completed" ,eventId="error","Terminated")
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname
|eval startTime = strftime( strptime( startTime, "%Y-%m-%dT%H:%M:%S.%7NZ"), "%Y-%m-%d %H:%M:%S")
|eval endTime = strftime( strptime( endTime, "%Y-%m-%dT%H:%M:%S.%7NZ"), "%Y-%m-%d %H:%M:%S")
|table startTime, endTime , mainprocessname,Status`
hi @hazemfarajallah
You can not see the status in your table because you are only doing a stats by mainprocessname.
Now, if you add status to the stats like | stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname,status what output do you get?
Once again, remove all code after the stats and first verify that the stats is correct. it should give you output by mainprocess and status if the stats is correct
hi @hazemfarajallah
Please let us know if your issue is solved or do you still need some more help on this?
If you issue is solved, please let me know if I can convert the comment into an answer for your acceptance
Hi @suskisen
Very big thanks, I started to follow your idea line by line and fixed almost all th problem
thanks
Status I got from converting the event id eval Status = case (eventId="endProcess","Completed" ,eventId="error","Terminated")
and resourceId should use resourceName (MY big mistake)
I did what you said line by line 🙂 BIG thanks
now everything in a place you was right
as source="BP"
| eval Status = case (eventId="endProcess","Completed" ,eventId="error","Terminated")
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname,Status,resourceName
|eval startTime = strftime( strptime( startTime, "%Y-%m-%dT%H:%M:%S.%7NZ"), "%Y-%m-%d %H:%M:%S")
|eval endTime = strftime( strptime( endTime, "%Y-%m-%dT%H:%M:%S.%7NZ"), "%Y-%m-%d %H:%M:%S")
|table startTime,endTime , mainprocessname,Status, resourceName
`
All in a place 🙂
need to provide better data, either you have really hit a bug (as unlikely as it gets..) or you are probably doing something wrong with time ranges / user roles when you save the table as a panel in a dashboard.
Can you elaborate more? There is no way (well, you can never say no so a very very small chance) that what works as a table won't work in a dashboard.
sorry im back here
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname,ResourceID,Status
i cant get real time when i use earliest as start time ..
when= when the process start
any suggistions
here is my query
source="BP"
| eval t = when
| eval time =strptime(t,"%Y-%m-%d, , %H:%M:%S.%Q%Z") | dedup 1 sessionNumber sortby -time
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname,ResourceID,Status | eval DurationSeconds=(endTime - startTime)
| eval startTime = strftime( strptime( startTime, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d %H:%M:%S")
| eval endTime = strftime( strptime( endTime, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d %H:%M:%S")
| table startTime,endTime , mainprocessname , ResourceID,Status
| rename mainprocessname as "Process" , ResourceID as "Runtime resource",startTime as "Start time", endTime as "End time"
I am trying to get it in real time.