* | rex "(?<fpc>fpc\d+) (?<ichip>ICHIP\(\d+\)):Packet drop in Ichip pktwr,rate: %\S+: \d+, total: (?<err>\d+)"
How do I get the max(err) and min(err) for each combination of host, fpc, ichip ?
err is an integer number.
<your search> | stats max(err) min(err) by host,fpc,ichip
* | stats max(err) as max_err min(err) as min_err by host,fpc,ichip | eval rate=(max_err-min_err)/720 | fields - max_err min_err | sort -rate
added to the answer
how do I sort it by host with highest rate ? rate is (max(err) - min(err)) / 720