- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the search to get max number of hours without events for feeds.
It works just for one index. It wouldn't work with more than one index. How can I get it work for multiple indexes?
index=feed1 OR index=feed2
| bucket _time span=1h
| stats count as event_count by _time, index
| search event_count!=0
| delta _time as mydelta
| eval number_of_zeros=floor(mydelta/3600)-1
| stats max(number_of_zeros) by index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you are calculating delta there are different events which it's use based on one index or several. For that reason the delta between those events are different. You could get better result if you change in stats by to index, _time instead of _time, index (but it's not works 100% of time still, if will be broken when index changes from one to another). I afraid that you need to reformulate this query to get correct answer for several indexes.
You can check the events by commenting out the last stats statement and try to figure out the correct answer.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vl951f,
are you sure that the field name is always the same in all indexes (upper and lowercase)?
If not, you have to add a command to your search:
index=feed1 OR index=feed2
| eval event_count=coalesce(event_count1, event_count2)
| bucket _time span=1h
| stats count as event_count by _time, index
| search event_count!=0
| delta _time as mydelta
| eval number_of_zeros=floor(mydelta/3600)-1
| stats max(number_of_zeros) by index
Please, when you insert code in your comments, please use the Insert/Edit code sample Button (</>).
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm just counting the number of event for each hour for the index.
| bucket _time span=1h
| stats count as event_count by _time, index
It didn't use any other field names.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"It wouldn't work" is not a problem description. Your query works for me (using my own index names). Well, it produces output, anyway. I can't say if it truly works since you don't say what it's supposed to do.
What results do you get and what results do you expect?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to get the max number of hours with no events for the indexes.
It works when I did it for one index.
index=feed1
Result:
index max(number_of_zeros)
feed1 6
index=feed2
Result:
index max(number_of_zeros)
feed2 4
But got wrong results for more than one index:
index=feed1 OR index=feed2
Result:
index max(number_of_zeros)
feed1 1
feed2 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you are calculating delta there are different events which it's use based on one index or several. For that reason the delta between those events are different. You could get better result if you change in stats by to index, _time instead of _time, index (but it's not works 100% of time still, if will be broken when index changes from one to another). I afraid that you need to reformulate this query to get correct answer for several indexes.
You can check the events by commenting out the last stats statement and try to figure out the correct answer.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works by changing "by _time,index" to "by index,_time"!
Thank you so much