Hi,
I'm trying to combine 2 timecharts into just single graph
index=xxx (MTYP=0 RESL=0) OR (MTYP=1 RESL=0) OR (MTYP=4 RESL=0) | timechart count(_raw) as successful by host
index=xxx (MTYP=0 RESL=1) OR (MTYP=0 RESL=2) OR (MTYP=0 RESL=3) OR (MTYP=1 RESL=1) OR (MTYP=1 RESL=2) OR (MTYP=1 RESL=3) OR (MTYP=4 RESL=1) OR (MTYP=4 RESL=2) OR (MTYP=4 RESL=3) | timechart count(_raw) as failed by host
it tried this but got an error
index=xxx (MTYP=0 RESL=0) OR (MTYP=1 RESL=0) OR (MTYP=4 RESL=0) | stats count(_raw) as successful count(eval((MTYP=0 RESL=1) OR (MTYP=0 RESL=2) OR (MTYP=0 RESL=3) OR (MTYP=1 RESL=1) OR (MTYP=1 RESL=2) OR (MTYP=1 RESL=3) OR (MTYP=4 RESL=1) OR (MTYP=4 RESL=2) OR (MTYP=4 RESL=3))) as failed by _time
You could try a different approach;
index=xxx sourcetype=yyy MTYP=* RESL=*
| eval outcome = case(((MTYP==0 AND RESL==0) OR (MTYP==1 AND RESL==0) OR (MTYP==4 AND RESL==0)), "success", ((MTYP==0 AND RESL==1) OR (MTYP==0 AND RESL==2) OR (MTYP==0 AND RESL==3) OR (MTYP==1 AND RESL==1) OR (MTYP==1 AND RESL==2) OR (MTYP==1 AND RESL==3) OR (MTYP==4 AND RESL==1) OR (MTYP==4 AND RESL==2) OR (MTYP==4 AND RESL==3)), "failed", 1==1, "unknown")
| timechart span=1h count by outcome
Hope this helps,
K
You could try a different approach;
index=xxx sourcetype=yyy MTYP=* RESL=*
| eval outcome = case(((MTYP==0 AND RESL==0) OR (MTYP==1 AND RESL==0) OR (MTYP==4 AND RESL==0)), "success", ((MTYP==0 AND RESL==1) OR (MTYP==0 AND RESL==2) OR (MTYP==0 AND RESL==3) OR (MTYP==1 AND RESL==1) OR (MTYP==1 AND RESL==2) OR (MTYP==1 AND RESL==3) OR (MTYP==4 AND RESL==1) OR (MTYP==4 AND RESL==2) OR (MTYP==4 AND RESL==3)), "failed", 1==1, "unknown")
| timechart span=1h count by outcome
Hope this helps,
K
good to hear, I didn't get to test it, so it was more off the top of my head.
Hi Kristian,
It didn't work the way I fully expect it to be but I got the idea and so I did some minor tweeks to suit my needs. Finally got it working now. Thanks a bunch.