I would like to find out how often a type of message is displayed after an update.
The data I am looking at displays an upgrade message when a site updates their software.
I would like to know how often a particular type of event happens after 3 days of an update (so how many times this event happens between the upgrade date and 72 hours later).
I mainly want to find ones where the event count is 0
What I have so far is like this:
basesearch that leaves just upgrades and the events I want to count
| transaction Message startswith=latest(Upgrade) by SITE_ID maxpause=72h
Example of some events
SITE_ID=123 Message=Trigger1
SITE_ID=456 Message=Trigger1
SITE_ID=123 Message=Update
SITE_ID=456 Message=Trigger1
SITE_ID=123 Message=Trigger1
SITE_ID=456 Message=Update
SITE_ID=456 Message=Trigger1
For this Example, I want it to spit out and tell me that SITE_ID 123 had 1 trigger after their latest update and SITE_ID 456 also had 1 trigger after their update.
This should work:
basesearch that leaves just upgrades and the events I want to count
| reverse | streamstats current=t count(Upgrade) AS sessionID BY SITE_ID
| streamstats current=t first(_time) AS startTime by sessionID SITE_ID
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID
This should work:
basesearch that leaves just upgrades and the events I want to count
| reverse | streamstats current=t count(Upgrade) AS sessionID BY SITE_ID
| streamstats current=t first(_time) AS startTime by sessionID SITE_ID
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID
I do not understand what the:
(eval((_time - startTime) > 259200))
Is doing in the line:
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID
The (eval((_time - startTime) > 259200))
is checking whether each event is within 72 hours (equivalent to 259200 seconds), which is what you said you need.
What does the sessionID part of this do?
The sessionID
part creates a way to group the events that are related to (come after and inbetween) Upgrade events.
Can you provide some sample events??
I dummied up some example sample events.