I have the stores and I want to check the status of store whether it is up or down
i want to show the status with help of processes
Processes.csv lookup
processes | Services | DeviceType |
ax | Amazonx | controller |
by | buy | register |
I wrote a query but it is not showing the status up or down
|mstats latest_time(value) as _time where (host="*" OR host="t*") index=a_store_metrics And metric_name="process.time" by host process
|search process in ("ax","by")
|eval host=lower(host)
|rex field=host "(?<Device>["\.]+)"
|rex field=Device "(?<store>\w{7})"
|search [|inputlookup store_device where store="a01"
|field Device
|format]
|lookup store_device Device OUTPUT Store as storetype DeviceType
|where (DeviceType="Controller" OR DeviceType="Register") AND store="a01"
|lookup process.csv process OUTPUT Services
|stats latest(_time) as time by instance store
|eval status=if(time!="".,"UP","DOWN")
|fields store instance service status
I am getting output
store | instance | service | status |
a01 | ax | amazon x | UP |
a01 | by | buy | UP |
If i off the store it is not showing down it is showing only one instance
suppose if I stop the services for by it should show status down in by column but it is not showing entire column as shown below.
store | instance | service | status |
a01 | ax | amazon x | UP |
Please help me out
Thank you
@ITWhisperer
when time is not equal to null i kept as up if null it will show down
If you want to check for null use isnull() or isnotnull()
| eval status=if(isnotnull(_time),"UP","DOWN")
However, this will probably not get you what you want as _time will probably not be null, it will just be the latest value and therefore the status will always be "UP"
@ITWhisperer
Thanks for help. But it is showing only up when something goes done i am unable to show which particular services are down. It is disappearing in the results
I want to show when the particular service down or store is down we need to show that in table
but i am getting no results found
Which events tell you that the service or store is down?
What are you trying to achieve with this line?
|eval status=if(time!="".,"UP","DOWN")