I would like to combine the following two searches in one timechart:
host="appserv" OAuth participants POST | regex _raw="/organizations/[a-z0-9-]*/participants/?$" | timechart count
and
host="appserv" deadlock | timechart count
sounds pretty simple question but i cant find how to do it.
Many ways to skin this cat. appendcols
came to mind first:
host="appserv" OAuth participants POST earliest=-1h@h latest=-0h@h |
regex _raw="/organizations/[a-z0-9-]*/participants/?$" |
timechart count as OAuthCount |
appendcols [ search host="appserv" deadlock earliest=-1h@h latest=-0h@h |
timechart count as deadlockCount | fields deadlockCount ]
So you run the first search roughly as is. Add in a time qualifier for grins, and rename the count column to something unambiguous. Pipe the results of that into an appendcols
that uses a subsearch reflecting the second search (same mods), and pipe that into fields
to isolate just the count of deadlocks. Finally, close the subsearch.
I make no claim that this is the best way.
Many ways to skin this cat. appendcols
came to mind first:
host="appserv" OAuth participants POST earliest=-1h@h latest=-0h@h |
regex _raw="/organizations/[a-z0-9-]*/participants/?$" |
timechart count as OAuthCount |
appendcols [ search host="appserv" deadlock earliest=-1h@h latest=-0h@h |
timechart count as deadlockCount | fields deadlockCount ]
So you run the first search roughly as is. Add in a time qualifier for grins, and rename the count column to something unambiguous. Pipe the results of that into an appendcols
that uses a subsearch reflecting the second search (same mods), and pipe that into fields
to isolate just the count of deadlocks. Finally, close the subsearch.
I make no claim that this is the best way.
Cool! exactly what I want!
thanks a lot 🙂 appendcols is my friend now!