hi
index=toto sourcetype=tutu type=*
| fields host _time runq type
| join host
[ search index=toto sourcetype=tutu type=*
| fields host core
| stats max(core) as nbcore by host ]
| eval Vel = (runq / nbcore)
| eval _time = strftime(_time, "%d-%m-%y %H:%M:%S")
| sort - _time
| rename host as Host, _time as Heure
| table Heure Host Vel
I use the search below
For one host, an event is indexed every 40 seconds
Now I need to group these events in a span of 30m
So I have added a bin span like this
| bin _time span=30m
So for one host there is many events with the same span value
Now what I need it's just to the last event indexed for the host in the span
So I need to display something like this :
"host" "time span" "last event generated"
I think it's not very difficult but I have a bug
Could you help please?
index=toto sourcetype=tutu type=*
| fields host _time runq type
| join host
[ search index=toto sourcetype=tutu type=*
| fields host core
| stats max(core) as nbcore by host ]
| eval Vel = (runq / nbcore)
| bin _time as Heure span=30m
| stats latest(host) as Host latest(Vel) as Vel by Heure
| eval Heure = strftime(Heure, "%d-%m-%y %H:%M:%S")
You could use
| bin _time as time span=30m
This preserves _time so you can do latest(_raw) for example and still group by time (not _time).
sorry but I dont understand
could you please give me an example following my search?
thanks
index=toto sourcetype=tutu type=*
| fields host _time runq type
| join host
[ search index=toto sourcetype=tutu type=*
| fields host core
| stats max(core) as nbcore by host ]
| eval Vel = (runq / nbcore)
| bin _time as Heure span=30m
| stats latest(host) as Host latest(Vel) as Vel by Heure
| eval Heure = strftime(Heure, "%d-%m-%y %H:%M:%S")
Many thanks