Hello
i have this query :
|datamodel events_prod events summariesonly=true flat
| search _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN
| eval crate_path=source
| rename kafka_uuid as uuid, _time as timestamp, _raw as data
| fields uuid, timestamp , data, crate_path
| dedup uuid
| sort 0 - timestamp
| head 1000
i want to add at the end total count of the events..
if im using append the query is running for long time.
any suggestions ?
thanks
You can change fields command with table;
|datamodel events_prod events summariesonly=true flat
| search _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN
| eval crate_path=source, count=1
| rename kafka_uuid as uuid, _time as timestamp, _raw as data
| table uuid, timestamp , data, crate_path
| dedup uuid
| sort 0 - timestamp
| head 1000
| addcoltotals labelfield="Total events" count
the results that returns is "Total" not a number
Sorry, I missed the streamstats, that is why count does not exists. I think below query will work for you.
|datamodel events_prod events summariesonly=true flat
| search _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN
| eval crate_path=source
| rename kafka_uuid as uuid, _time as timestamp, _raw as data
| stats count max(timestamp) as timestamp latest(data) as data latest(crate_path) as crate_path by uuid
| sort 0 - timestamp
| head 1000
| addcoltotals labelfield="Total events" count
the stats command is not working.. returns no results
also, even if im fixing the stats, the "data" and "crate_path" fields are empty and the "Total Count" still returns "Total" instead of number
Can you please share some sample data?
uuid - 4c39b3b
crate_path - [LSAPL]/messages-20200823000221
data - 123 Disabled
actually, you can insert what ever you want, it should work the same, no ?
Since there is no stats command in the search I thought it is normal to show 1,2,3.... The last row will show the count of events. Maybe you can try below query.
|datamodel events_prod events summariesonly=true flat
| search _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN
| eval crate_path=source, count=1
| rename kafka_uuid as uuid, _time as timestamp, _raw as data
| fields uuid, timestamp , data, crate_path
| dedup uuid
| sort 0 - timestamp
| head 1000
| addcoltotals labelfield="Total events" count
how can i show it in table or something ?
@sarit_s , you can use streamstats command to count events.
|datamodel events_prod events summariesonly=true flat
| search _time>=1597968172.000 _time<=1598146450.0001 eventtype="csm-messages" tail_id=AN
| eval crate_path=source
| rename kafka_uuid as uuid, _time as timestamp, _raw as data
| fields uuid, timestamp , data, crate_path
| dedup uuid
| sort 0 - timestamp
| streamstats count
| head 1000
Hey
thanks for your reply
when using streamstats and table after, it returns results as 1,2,3 .. without any correlation to the real number of events..
when im using eventstats it returns the real number but the same number for each raw.
is it possible to return the count at the last raw ?