I'm searching for a way to treat different events as one. Example: If I'm getting events like this where every field-value pair is in one event, it's easy to deal with it:
1426177481 testhost=wonderserver3 running=3 sleeping=147 zombie=2 1426177492 testhost=wonderserver1 running=4 sleeping=141 zombie=2 1426177493 testhost=wonderserver2 running=1 sleeping=146 zombie=2
target: sum all key-value pairs together over the time and create a chart:
index="temp" testhost=* | eval allprocesses=running+sleeping+zombie | timechart avg(allprocesses) by testhost
but now I'm getting events looking like this:
1426179351 thost=appserver03 object=zombie value=1 1426179352 thost=appserver03 object=sleeping value=147 1426179353 thost=appserver03 object=running value=1 1426179354 thost=appserver02 object=zombie value=1 1426179355 thost=appserver02 object=sleeping value=147 1426179356 thost=appserver02 object=running value=1
What would be a good idea to group this events together? Value is always the named "value" and the key is included in object. All they have in common is a the hostname..
Thanks four your help in advance
You can try something like this but you would have to specify the timechart span (in bucket command). This example does it for a day.
index="temp" testhost=* |bucket span=1d _time | stats sum(value) as value by _time, testhost | timechart avg(value) by testhost
Quick way to group them:
index=test sourcetype="answers" | transaction maxspan=5s thost
Assuming the whatever is polling them is doing it serially and there is a max span of 5 seconds.
try something like this:
index="temp" testhost=* |bucket span=1d _time |eval allprocess=runing+sleeping+zombie |timechart avg(allprocess)
change the span as you need
Just following up with this post, but did either of the 3 responses you got here solve your question? If yes, please be sure to resolve this post by accepting the one that worked best for your case. Thanks!
thanks for your answers. For me the main problem was that all values was created in the field "value". It worked much better for me to extract the fieldnames using the <KEY1><VAL1> Fields. This fields extract the names of the values "dynamic" so i get fields with e.g. running=3 sleeping=105 ...
so creating a timechart is quite easy when using search | timechart avg(running) as running avg(sleeping) as sleeping
Thx and best regards,