- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
06-01-2016
02:09 PM
Hi all,
I have the following search
"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400 | stats dc(Bundle) as count values(Bundle) as Bundle values(_time) as time list(time2) as Date values(time_diff) as time_diff values(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H))
Which returns a table that looks something like this:
Machine_Serial count Bundle time Date time_diff tim_diff(H)
____________________________________________________________________________________________
75123 3 1.1 1458049413 2016/03/16 6702139.000000 1134.5710532407
1.3 1458053068 2013/04/2 98026939.000000 1135.5710532407
1.4 1464618084 2013/04/23 98113339.000000 77.57105324074
--------------------------------------------------------------------------------------------
75334 1 1.5 1464788901 2012/10/17 114356539.000000 1323.57105324074
I've been trying to sort based on the values of time_diff(H) using the sort command, however, it doesn't seem to work on the values in the same under the same group, so they'll be mismatched internally. I've attempted various sort commands, as well placing it in different locations, but I haven't been able to crack it. Is there any I can achieve this?
Thank you in advance.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-01-2016
09:52 PM
Give this a try
"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400
| stats count by Machine_Serial Bundle _time time2 time_diff times
| sort 0 Machine_Serial -num(timed)
| stats dc(Bundle) as count list(Bundle) as Bundle list(_time) as time list(time2) as Date list(time_diff) as time_diff list(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-01-2016
09:52 PM
Give this a try
"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400
| stats count by Machine_Serial Bundle _time time2 time_diff times
| sort 0 Machine_Serial -num(timed)
| stats dc(Bundle) as count list(Bundle) as Bundle list(_time) as time list(time2) as Date list(time_diff) as time_diff list(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
06-02-2016
11:17 AM
one note I changed the "times" to" timed" at the end of the 4th line
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
06-02-2016
11:16 AM
Worked flawlessly, thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-01-2016
03:58 PM
Try sorting before the stats command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
06-01-2016
05:17 PM
I've tried that, and the results are the same, still I appreciate the help.
