- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following query,
index="xxxx" source="*$Device_ID$*xxxx*"
| eval Device_ID=mvindex(split(source,"/"),5)
| rex field=_raw "(?<timestamp>[^|]+)"
| table Device_ID timestamp
| streamstats count as s_no by Device_ID
| sort 0 - s_no
| table Device_ID s_no timestamp
How to use map or foreach command for the above query so it will run separately for each Deviceid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval time=strptime(timestamp,"%F %T.%4N")
| streamstats max(time) as latest_time
| where time >= latest_time- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The provided query appears to run for each Device_ID already. How is the query not meeting your expectations? What is the use case? Why do you think you need map or foreach?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richgalloway ,
This is my whole query.
index="xxxx" source="*$Device_ID$*xxxx*"
| eval Device_ID=mvindex(split(source,"/"),5)
| rex field=_raw "(?<timestamp>[^|]+)"
| table Device_ID timestamp
| streamstats count as s_no by Device_ID
| sort 0 - s_no
| table Device_ID s_no timestamp
I'm trying to remove events which is decreasing inbetween. Here I have used "filldown" command. So it is messing up with other devices.
To get of this, I want to use map or foreach. But not sure how to implement in the above query.
Sample Data:
Timestamp
2021-08-09 12:26:55.7852
2021-08-09 12:26:56.2278
2021-08-09 12:26:56.2278
2021-08-09 12:26:56.3939
2021-08-09 12:26:39.2861
2021-08-09 12:26:40.3430
2021-08-09 12:26:41.3482
2021-08-09 12:26:41.4832
2021-08-09 12:26:56.8794
2021-08-09 12:26:57.8846
2021-08-09 12:26:58.9398
2021-08-09 12:26:59.9450
2021-08-09 12:26:59.9700
2021-08-09 12:26:59.9700
2021-08-09 12:27:00.8201
2021-08-09 12:27:00.8401
2021-08-09 12:27:01.0352
2022-03-30 10:09:25.6406
2022-03-30 10:09:25.8007
2022-03-30 10:09:26.8109
2022-03-30 10:09:27.5961
2022-03-30 10:09:27.5961
If you see the timestamp which is marked as bold, seconds value got decreasing inbetween , I'm trying to ignore those events.
Somecase hours or minutes also will decrease
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval time=strptime(timestamp,"%F %T.%4N")
| streamstats max(time) as latest_time
| where time >= latest_time- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @ITWhisperer . Can you please help me with where should i add those lines you mentioned
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index="xxxx" source="*$Device_ID$*xxxx*"
| eval Device_ID=mvindex(split(source,"/"),5)
| rex field=_raw "(?<timestamp>[^|]+)"
| table Device_ID timestamp
| streamstats count as s_no by Device_ID
| sort 0 - s_no
| table Device_ID s_no timestamp
| eval time=strptime(timestamp,"%F %T.%4N")
| streamstats global=f max(time) as latest_time by Device_ID
| where time >= latest_time- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer ,
| streamstats global=f max(time) as latest_time by Device_ID | where time >= latest_time
This is giving accurate results. But when i enable scheduled search, it is running in fast mode. In fast mode, I found few events are missing. Is there any alternate way for this command
