I have a search which gives a top 5 list of faults (S3callerror2) for a customer base. Instead of just showing the list, I would like to have the system provide the worst customers (S3calldest_regid) for each fault.
For example, my current search:
index="genband-cdr" AM00SBC07 OR AM00SBC08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f BY S3_call_dest_regid | where percent >3 |top 10 S3_call_error2
This currently will return a table of 3 columns "S3callerror2", "count", "percent", with the total count for each error. I would like to be able to see this broken down further to also show the ErrorType1 and then the top customers reporting that error, for each of the errors.
Are all the customer fields available in the same index? What are those fields? Can you post some sample data OR name of the fields available?
Yes - all of the fields are in the same index.
I miss-typed something in the above question, so replace the 'ErrorType1' statement with S3callerror2.
The events contain dozens of fields however the relevant ones are:
count and percent are calculated.
There are only about 15 possible values for S3callerror2, however in the above, the results are limited by the percent statement (3%) to about 4 or so.
Depending on how many rows you are talking about, you could use the map command to get the top customers for each error. By appending the original list to the result of the map command and then doing some creative sorting, you could get it all into one report.
As stated above, the resulting rows (S3callerror2) are only about 4 normally, but likely less. The end result of what I want will result it the top 2 customers for each error, so we are looking at 8 max rows after my subsearch.
I am trying to play with the map and append commands, however so far no success.
After some digging and banging, I have managed to get the search to work with the recommended MAP sub-search.
Below is the search string that I have ended up using:
index="genband-cdr" AM00SBC07 OR AM00SBC08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$S3_call_error2$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |rename S3_call_dest_custid AS PTSID S3_call_error2 AS Error| table PTSID, Error"
This returns a table showing the top 3 customers (S3calldestcustid) reporting each of the errors (S3call_error2) being reported.
Another issue - The above does work as an independent search item, however when I put it into a dashboard, I get a "Search is waiting for input... " message.
Any thoughts as to why?