hi
I need to use eval count in a search like this
| chart count(eval(web > 12))
But this count is right if I filter events préviously from a string
what I would like to do is something like this
| chart count(eval(web > 12 AND TOTO=a))
NB: I know I can filter before the chart command but its impossible here because my chart command stats a lot of different events...
How to do this please?
Rgds
| chart count(eval(web > 12 AND TOTO=a))
Something like this should work. Did you try it? Is "a" a field OR a string? If it's a string, try enclosing it in double quotes.
| chart count(eval(web > 12 AND TOTO=a))
Something like this should work. Did you try it? Is "a" a field OR a string? If it's a string, try enclosing it in double quotes.
I dont undesrtand
even if I change the web_dom value, the result is the same!
| eval errcap =if(web >= 1 AND web_dom="aa" AND web_url="*", 1, 0)
| eval errcont =if(we >= 1 AND web_dom="bb", 1, 0)
| eval errshare =if(web= 1 AND web_dom="cc", 1, 0)
| chart count(errcap) as "errcap", count(errcont) as "errcont", count(errshare) as "errshare" over Time
| eval counter=if(web > 12 AND TOTO=a, 1, 0)
| chart sum(counter)
I have something very strange
if i add a clause like web_error_code and I assign it a value (404) in the example it works
| eval errshare =if(web_error_count >= 1 AND web_error_code=404 AND web_domain="sharepoint.com", 1, 0)
| stats sum(errshare)
what is put "*" instead 404, I have no results!
what is wrong please?
| eval errshare =if(web_error_count >= 1 AND web_error_code="*" AND web_domain="sharepoint.com", 1, 0)
| stats sum(errshare)
I found, it's Wild card for eval and where is not "*" (it only works with search command)