I have a query that gives me a result in a name value format in a table.
Basically I work with log lines and I'm counting how many times one field has a discreet value.
Log lines can be e.g.:
errorid=1 hostname=a value=1 errorid=1 hostname=b value=3 errorid=1 hostname=a value=2 errorid=1 hostname=c value=1 errorid=2 hostname=c value=1
I'm able to create a query like:
errorid=*| stats count(eval(errorid='1') by hostname as Host
errorid=* | stats count(eval(errorid='1') by value as Value
But what I'd need that get the result from the first query and run the second against that subset.
So I'd like to find out that how many error messages have value X on a given host and get this for all hosts that appear in these kind of messages.
Output should be a table something like:
errorid | hostname | count 1 | a | 5 1 | b | 2 1 | c | 4 2 | a | 5
easy then - just a stats count by errorid hostname. Again though assuming you aren't wanting to do something with the field "value". Of course you could get all fancy and do something like
... | stats count by error hostname value | sort hostname | stats sum(count) as total_events list(hostname) as hostname list(value) as value by error
Since you seem to be interested in the error messages. If you wanted to focus more on the errors from a particular host you could reverse that to
... | stats count by error hostname value | sort hostname | stats sum(count) as total_events list(error) as error list(value) as value by hostname
Of course I'm partial to that sort of formatting but it doesn't translate well to PDF or csv output.
With your interaction with cchitten I'm not really sure what you are asking. Have you tried
errorid=* | stats count by hostname errorid value | sort hostname errorid
That will give you the individual counts of unique events. You could then do additional stats or eventstats commands if you wanted to find other pieces of summary data. I guess if that doesn't help I'd suggest posting an example of hoped for outcome.
does this work:
errorid=1 | stats count by hostname
Thanks, but that's written there in my question. I'd like to have a result that shows how many errors came with hostname "somehing" AND on a third column, how much of these had value x.
you wrote "how many error messages have value 1" not value X. And your searches weren't even using the right field names. Thats where i thought you were going wrong.
You could simply use a subsearch:
index=* [search index=* errorid=1 | table errorid] | stats count, dc(errorid), values(errorid) by hostname
Thanks for your answer, I've made my initial question more straightforward.