I have a simple search like
index=main sourcetype=performance Status=*
| eval Status = if(Status=="S","Success","Error")
Then I should have a count for each status, example 50 Success and 20 Errors.
Then get the average of those two counts, and finally compare this average to last event so I can get the average difference to the last event.
How can achieve this?
Thanks in advance!
The basic answer is very easy; like this:
index=main sourcetype=performance Status=* | eval Status = if(Status=="S","Success","Error") | stats count BY Status
The problem is the "compare to last event" part, which doesn't make sense to me.
The basic answer is very easy; like this:
index=main sourcetype=performance Status=* | eval Status = if(Status=="S","Success","Error") | stats count BY Status
The problem is the "compare to last event" part, which doesn't make sense to me.
This pretty much solves the problem, just need to get the average of errors and success now...
My data is similar to this line:
05112015ZK00S09MAIN
05112015ZK00S14MAIN
05112015ZK00E65MAIN
05102015ZK00E22MAIN
05102015ZK00S01MAIN
Where the "S" or "E" stands for Status.
So I should get the average of events with Success, the average of Errors.
They were both extracted positional regex as "Status"
How can I get the average of'em ?
I'm sorry but this question doesn't make any sense so I think you're just asking it in a confusing way. "the average of events with Success, the average of Errors" makes very little sense.
Do you want to end up with a single overall average success rate like 37%?
If so then
index=main sourcetype=performance Status=* | eval foo=1 | chart count over foo by Status | eval ratio=100*
will do the trick.
(S/E) | eval ratio=ratio + "%"
But this wouldn't incorporate your other requirement, "compare this average to last event so I can get the average difference to the last event" which still doesn't make sense.
Well, this person asked us to get a deviation of average status error / success, I'm not acctually sure if this is possible. He wants a red/yellow/green light indicator to show if the deviation is higher less then 30%, less then 50% or higher then 50% deviation
I agree; you gave us the 1st part (sample events) but not the 2nd part (mockup of final desire).
Are these individual events single-line events with only one value for Status each, that then are written out in big groups of events, where each group for you constitutes some "event" in the real world?
Or are these events large multiline events with multiple values of Status in each?
I do not understand. Show sample events and mockup of desired final data.