How can we subtract dequeue count of now with an hour before dequeue count number to monitor queues are progressing?
Log lines are like these:
2022/06/14 09:19:02 queue=ABC size=0 consumerCount=2 enqueueCount=12907 dequeueCount=15466
2022/06/14 08:19:02 queue=ABC size=0 consumerCount=2 enqueueCount=12850 dequeueCount=15409
looking to do subtraction of dequeueCount (15466-15409) and setup an alert if it equals to 0
Thanks
Try something like this
sourcetype=amq_queues queue=ABC | where size > 0 | eventstats max(dequeueCount) as maximum min(dequeueCount) as minimum by queue | where maximum=minimum
@ITWhisperer Thanks, tried but don't see any difference
streamstats looks better option, not sure how can we save max and min values as variable and and then do subtraction
Tried following (it is always giving latest result), was expecting output only when queue is not dequeuing for last an hour
sourcetype=amq_queues queue=ABC | where size > 0 | streamstats max(dequeueCount) as maximum min(dequeueCount) as minimum | where maximum - minimum = 0
Please can you expand on your problem - do you have multiple log events per hour? do you want to compare the first event with the last event? do you want only one result?
Try something like this
| sort 0 _time
| streamstats window=1 current=f values(dequeueCount) as previousDequeueCount
| eval dequeues=dequeueCount-previousDequeueCount