- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Normally, I would use the following search to find my single value:
| tstats latest(_time) as latest where host=($SERVERNAME) by host
| eval noDataTime = now() - latest
| eval status = if(noDataTime>600,"HOST DOWN" ,if(noDataTime>300,"Warning","Available"))
| stats count(eval(status="Available")) AS Available
I am now forwarding the machine data to a summary index that my host names are now listed as "orig_host" in the fields. This will not allow me to run tstats, so I made the following search to find the status of the servers:
orig_host=("$SERVERNAME)
| stats latest(_time) as latest by orig_host
| eval noDataTime = now() - latest
| eval status = if(noDataTime>600,"HOST DOWN" ,if(noDataTime>300,"Warning","Available"))
| convert ctime(latest)
This will list the servers and show their status as HOST DOWN, Warning and Available. I would like to convert this to a single value, which in the past I used "stats count", but have already used "stats" in the search previously. How would I change my search of "orig_host" to a single value? Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use stats twice if you like! Just append
| stats count(eval(status="Available")) AS Available
to the end of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use stats twice if you like! Just append
| stats count(eval(status="Available")) AS Available
to the end of the search
