Hello
I am trying to do a 24hr and 31 days chart for the threshold value which will be as a output of this table. Now the below code gives me threshold value for each workgroup. I now need to create a timechart which mentions about the number of times the threshold for a particular workgroup(A) is exceeded.
index=xxxx search_name="xxxx" | rename record_assignmentGroup as A | eval mybucket=case(date_hour<4,1,date_hour<8,2,date_hour<12,3,date_hour<16,4,date_hour<20,5,date_hour>0,6) | stats count as I by A, mybucket,date_mday,date_month,date_year | delta I as D | eval D = abs(D) | eventstats avg(I) as xbar, avg(D) as mbar by A | eval threshold = xbar + (2.66*mbar) | eval threshold=coalesce(threshold,0) | dedup A | fields A threshold | table A threshold
I made use of macro and now the search is
index=xxxx search_name="xxxx" | `bucket_incident` | `threshold_incident`|
It's just a shorter version of the first one.
Output:
A threshold
Regards
theou
@theouhuios, Could you explain what your trying to accomplish with your case statment?
eval mybucket=case(date_hour<4,1,date_hour<8,2,date_hour<12,3,date_hour<16,4,date_hour<20,5,date_hour>0,6)
if your grouping is per time bucket (mybucket), then keep it at every steps of your commands : stats, fields, etc...
and at the end your probably want |table A mybucket threshold
@bmacias84 I updated it now. Any idea on how to solve this.
I should have been a bit more clear. Will update the part now.
I am not sure what you trying to do exactly, but you need to perserve _time to use timechart or to use chart use (chart count over time by x) in your stats command and eventstats.