Hi Guys,
Less Event displayed while searching as * then search hostname while its showing if I search at the beginning with hostname
Please suggest why it is misbehaving and what is the Solution for this to get all events .
Thanks in advance.
Hi @AKBBB,
the problem is that in the first search you used the Caption=FREQSAPP150 conditiopn before a dedup command in the second after it.
This means that some of the results coulbe be eliminated by the dedup.
In addition you have two dedups, why don't use only one?
Anyway SPL best prectices say to put search conditions as left as possible avoinding more search command as you did.
So rebuild you search in this way.
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" ) Caption=FREQSAPP150 Vendor="*"
| fields _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
| eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
| sort Caption _time limit=0
| dedup _time Caption
Ciao.
Giuseppe
Hi @AKBBB ,
pleae share your searches.
Then did you used a fixed time (e.g. yesterday or last hour) or you're using now as latest?
Ciao.
Giuseppe
If I search by using below SPL
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" ) Caption=FREQSAPP150
|search Vendor="*" Caption="*"
|search * Vendor="*"
|dedup _time
|table _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
|eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
|sort Caption _time limit=0
|dedup _time Caption
I get 2760 records
while using
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" )
|search Vendor="*" Caption="*"
|search * Vendor="*"
|dedup _time
|table _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
| search Caption=FREQSAPP150
|eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
|sort Caption _time limit=0
|dedup _time Caption
I get only 3 as below
Complete 5,889 events (1/1/23 12:00:00.000 AM to 2/1/23 12:00:00.000 AM)
2023-01-29 15:00:47 | FREQSAPP150 | -1 | 2 | 0 |
2023-01-29 16:52:51 | FREQSAPP150 | -1 | 2 | 0 |
2023-01-31 19:06:59 | FREQSAPP150 | -1 | 2 | 0 |
problem is here due to this Availaibility from search is coming around 80% and from second its coming 0,
i want understand why its happening
Hi @AKBBB,
the problem is that in the first search you used the Caption=FREQSAPP150 conditiopn before a dedup command in the second after it.
This means that some of the results coulbe be eliminated by the dedup.
In addition you have two dedups, why don't use only one?
Anyway SPL best prectices say to put search conditions as left as possible avoinding more search command as you did.
So rebuild you search in this way.
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" ) Caption=FREQSAPP150 Vendor="*"
| fields _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
| eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
| sort Caption _time limit=0
| dedup _time Caption
Ciao.
Giuseppe
If I search by using below SPL
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" ) FREQSAPP150
|search Vendor="*" Caption="*"
|search * Vendor="*"
|dedup _time
|table _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
|eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
|sort Caption _time limit=0
|dedup _time Caption
I get 2760 records
while using
index=prod_solarwinds (source="rest://Prod_Solarwinds_Agent_Asset" OR source="rest://Prod_Solarwinds_ICMP_Asset" )
|search Vendor="*" Caption="*"
|search * Vendor="*"
|dedup _time
|table _time Caption ResponseTime Status
| replace *-primary WITH * IN Caption
| replace *-secondary WITH * IN Caption
| search Caption=FREQSAPP150
|eval Availablity = if(ResponseTime < 0 AND Status=2,0,1)
|sort Caption _time limit=0
|dedup _time Caption
I get only 3 as below
Complete 5,889 events (1/1/23 12:00:00.000 AM to 2/1/23 12:00:00.000 AM)
2023-01-29 15:00:47 | FREQSAPP150 | -1 | 2 | 0 |
2023-01-29 16:52:51 | FREQSAPP150 | -1 | 2 | 0 |
2023-01-31 19:06:59 | FREQSAPP150 | -1 | 2 | 0 |
Your first search finds event with FREQSAPP150 anywhere in the event, whereas your second search filters for FREQSAPP150 only being in the Caption field.
but 2nd search should return all events which is coming in 1st search
why not getting , please suggest
Yes, up to the point you do this:
| search Caption=FREQSAPP150
This removes the events which don't match this criteria.
I have to use the 2nd search only in whole query of dashboard .
so this logic should work . so cant remove becoz this need to apply on lots of many other server .
In 1st logic if I put Caption=FREQSAPP150 it aslo producing 2760 events
I have explained why you are getting fewer results (which was your question, although "misbehaving" is not the right word since it is behaving as you have coded it!). Perhaps it would be better if you explained what it is you are trying to achieve, so we can help you create a search for that?
we are calculating % of server availability from the code and 2nd search is part of whole query (from where event discrepancy is there) in this we are searching all events then calculating availability based on each server,
when 0% availability was seen so then I searched putting server in start of query then its resulting availability .
Please share your two searches and some events which are included and some which are missed.