index="*" | eval foo=coalesce(F1,F2) | eventstats values(P1) as Foo2 by foo| ....
foo P1 F1 F2 Foo2
The above output is getting used by eventstats.... when event count increase, the some of the fields are not getting result.
Please provide me the solution instead of using event stats, is there any other way to match the two fields to get other field output result.?
Yes write, we are getting result FOO2 if you use eventstats only running at limited period [every 5min or 15min].
But if you run that same query more than 30 min period, FOO2 is NULL . Because Eventstats taking more memory usage, its crossed the limit.
But I need 2nd event result when put "index="*" | eval foo=coalesce(F1,F2) | eventstats values(P1) as Foo2 by foo | where isnull(P1)...."
foo P1 F1 F2 Foo2
2 result1 NULL NULL result1 X2
Do you have any other query to use instead of using eventstats to get same result?
@karthikeyan_k14 - you've cut off the part of the search that tells us what is wrong. What we see is exactly the right output for the input. You have two different types of records, one of which has
P1 and no
F2, the other has
F2 and no
P1. The missing fields correctly get NULLs.
To help debug this kind of thing, if your count is not going up as expected, then you could try this...
your search | where isnull(foo2)
That will give you any records where no
F1/P1 record was available in the time range selected. Review those and see if they are the problem.
eventstats has the purpose of calculating group values while leaving the individual transactions alone. If you just need one line of data for each foo, then use
If you need the
F1/P1 data copied onto the
F2 record, and don't need the
F1/P1event itself, then you should filter out the
F1/P1 records immediately after the
If all of the above didn't help, then we need clearer specifications. If you want different output, we need to know the kind of input records of each type that are getting the wrong output.
Here's what we generally need -
(1) The information about the two different kinds of events ( what fields are important in them)
(2) The desired output.
(3) The current code.
(4) The current output.
It is very likely we can sort this out for you, but I'm finding it difficult to follow what the problem actually is.
So we're coalescing two fields - P1 and P2 into a new field call foo. Fine.
Then it looks like according to what you asked for, it should be giving you exactly that in the
| eventstats values(P1) as Foo2 by foo|
So I'm not sure what the problem is.
Evenstats may not be what you want here, if you restructure and try something like this:
index="*" | eval foo=coalesce(F1,F2) | stats count, values(P1) as Foo2 by foo| ....
Does that get closer?