Or maybe it is easier, to mention the date in the description, when an e-mail is sent.
This is my search at the moment:
index=smsc tag=MPRO_PRODUCTION DATA ="*" command_id_description="*" NOT (...) command_status_code="*" NOT (...) | dedup DATA | chart count by SHORT_ID, command_status_code | search NOT ESME_RTHROTTLED=0 | sort - ESME_RTHROTTLED | head 15
Thanks for your help!
Do you want to have the timestamp (assuming _time) field along with the chart command output? If yes, give something like this a try (gets last time for a SHORT_ID and command_status_code combination):
index=smsc tag=MPRO_PRODUCTION DATA ="*" command_id_description="*" NOT (...) command_status_code="*" NOT (...) | dedup DATA | stats count max(_time) as time by SHORT_ID command_status_code | eval SHORT_ID_time=SHORT_ID."####".time | chart sum(count) as count by SHORT_ID_time, command_status_code | search NOT ESME_RTHROTTLED=0 | sort - ESME_RTHROTTLED | head 15
| rex field=SHORT_ID_time "(?<SHORT_ID>.+)####(?<time>.+)" | fields - SHORT_ID_time | rename time as _time
| table _time SHORT_ID *
This looks not bad, but now one Field Value (command_status_code), don't show up any count/Numbre.
The timestamp is now available. The second field value (command_status_code) is right (right count).
sample log please.
2020-02-05 23:59:59.973348 SESSION_ID=... TRANS_ID=... MSG_ID=... SHORT_ID=... ORIGINATOR="IP":"Port" PROXY="IP":"Port" DESTINATION="IP":"Port" RESULT=0 LENGTH=25 DATA=000000198000000400000000000000A3364636354337434500 EXTRA=
i've removed the field values
| chart count by SHORT_ID, command_status_code
Does your sample contain above two fields?
| search NOT ESME_RTHROTTLED=0
what's ESME_RTHROTTLED
?
I think your chart result is like below:
SHORT_ID,command_stats_code_A,command_stats_code_B,command_stats_code_C
SHORT_ID_A,x,x,x
SHORT_ID_B,y,y,y
....
Using bin
, stats
and untable
works well for aggregation with time as rows in multiple elements, but in that case we can not make a query unless we know what the value of the field is.