I have 4 hosts. Each host collects error logs. Each log consists of a Counter, like so:
2013-12-02 11:23:26,512 INFO type=COUNTER error count=1
So every time there is an error, the count=n part of the log increases.
I want to plot the amount of errors over time. I've set up a field extraction, called ErrorCount, for the number within "count=n". Using max(count), I have used the following search:
"type=COUNTER" ErrorCount=* host=lonrs10000 | timechart max(ErrorCount)
However, I have 3 further hosts, with their own counters running. How can I edit my search to include the other 3 hosts data?
E.g. for a specific day:
the count of errors on host lonrs10000 = 5
the count of errors on host lonrs20000 = 4
the count of errors on host lonrs30000 = 2
the count of errors on host lonrs40000 = 0
The total for this specific day should be 11. I am looking to get the total number of errors as a result from my search.
Thanks a lot,
"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | timechart max(ErrorCount) by host
Hi, thanks for your response. The search that you added doesn't add the numbers together though. It displays them as 4 separate values?
i.e. lonrs10000 = 5, lonrs20000 = 4... etc. Rather than total = 11.
Do you see what I mean?
I though you needed the data per host. If you just need the total remove the last part: "by host"
EDIT: if you need both things, add this to the first query i gave you: | addcoltotals
If I remove the 'by host' then the results from the search will be just the greatest value from the 4 hosts.
i.e. lonrs10000 = 5, lonrs20000 = 4, lonrs30000 = 2, lonrs30000 = 0
The answer would be 5, with your solution.
I need the answer to sum all of them, so the answer should be 5+4+2+0 = 11
I hope that makes sense?
You are right,
You can get it with the | adcoltotals, or also this way:
"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | timechart max(ErrorCount) as tempvalue by host | timechart sum(tempvalue)
Try it and let me know if it works
Thanks for your help here, but I can't seem to get it working. When I use the query you suggested it doesn't give me any results. I understand what you're trying to do, but it just doesn't work for some reason. Any further ideas?
Can you try this:- (only limitation here is that you would have to specify the span for your chart, in bucket and in timechart both)
"type=COUNTER" ErrorCount=* host=lonrs10000 OR host=lonrs20000 OR host=lonrs30000 OR host=lonrs40000 | bucket _time span=1d | stats max(ErrorCount) as MaxErrorCount by host,_time | timechart span=1d sum(MaxErrorCount) as TotalErrors
This works. Thanks a lot. The timepicker on my dashboard still works too - although, obviously, won't display the chart very well on any time range less than a day.