How to show the avg and their status in Flow Map viz connections.
index=gc source="log" QUE_NAM="S*"
| stats sum(eval(FINAL="MQ SUCCESS")) as good
sum(eval(FINAL="CONN FAILED")) as errors
sum(eval(FINAL="MEND FAIL")) as warn avg(QUE_DEP) as queueAvgDept by QUE_NAM
| eval to=QUE_NAM, from="internal"
| append
[search index=es sourcetype=queue_monitor queue_name IN ("*Q","*R")
| bucket _time span=10m
| stats max(current_depth) as max_Depth avg(current_depth) as avg_Depth by _time queue_name queue_manager
| eval to=queue_name, from="external"]
For this query, i got below visualization and i need to connect between internal and external one ( highlighted in red color and how to show the avg count through the flow in between external and name)
Please help me out on this
Thanks in advance!
Hi @Anud,
We can optimize your search if you provide mock samples of your data, but here's an example using makeresults and your current search structure to simulate the fields required by the visualization:
| makeresults format=csv data="QUE_NAM,FINAL,QUE_DEP
S_FOO,MQ SUCCESS,
S_FOO,CONN FAILED,
S_FOO,MEND FAIL,
S_FOO,,3"
| stats sum(eval(if(FINAL=="MQ SUCCESS", 1, 0))) as good sum(eval(if(FINAL=="CONN FAILED", 1, 0))) as error sum(eval(if(FINAL=="MEND FAIL", 1, 0))) as warn avg(QUE_DEP) as label by QUE_NAM
| rename QUE_NAM as to
| eval from="internal", label="Avg: ".label." Good: ".good." Warn: ".warn." Error: ".error
| append
[| makeresults format=csv data="queue_name,current_depth
BAR_Q,1
BAZ_R,2"
| bin _time span=10m
| stats avg(current_depth) as label by queue_name
| rename queue_name as to
| eval from="external", label="Avg: ".label
| appendpipe
[ stats values(to) as from
| mvexpand from
| eval to="internal" ]]good, error, and warn are special fields supported by the visualization. Add the label field to provide a custom link label, and leave the special fields intact to produce the flowing dot animation.
