Solved: multiple subsearch using appendpipe

ljohnson_possib · ‎10-12-2015

I am trying to create a search that will give a table displaying counts for multiple time_taken intervals. For example I want to display the counts for calls with a time_taken of 0, time_taken between 1 and 15, time_taken between 16 and 30, time_taken between 31 and 45, time_taken between 46 and 60.......time_taken greater than 300.

Here is the search I have been playing around with to no avail:

|stats avg(time_taken) as Scenario count(eval(time_taken =0)) as Count | eval Scenario = "Calls returning in 0 time"
|appendpipe [stats count(eval(time_taken > 0 AND time_taken <= 15)) as Count | eval Scenario = "Calls returning between 1 and 15 time"]
|appendpipe [stats count(eval(time_taken > 16 AND time_taken <= 30)) as Count | eval Scenario = "Calls returning between 16 and 30 time"]
|appendpipe [stats count(eval(time_taken > 31 AND time_taken <= 45)) as Count | eval Scenario = "Calls returning between 31 and 45 time"]
|appendpipe [stats count(eval(time_taken > 46 AND time_taken <= 60)) as Count | eval Scenario = "Calls returning between 46 and 60 time"]
|appendpipe [stats count(eval(time_taken > 61 AND time_taken <= 100)) as Count | eval Scenario = "Calls returning between 61 and 100 time"]
|appendpipe [stats count(eval(time_taken > 101 AND time_taken <= 200)) as Count | eval Scenario = "Calls returning between 101 and 200 time"]
|appendpipe [stats count(eval(time_taken > 201 AND time_taken <= 300)) as Count | eval Scenario = "Calls returning between 201 and 300 time"]
|appendpipe [stats count(eval(time_taken > 300)) as Count | eval Scenario = "Calls returning more than 300"]

woodcock · ‎10-12-2015

First of all, your eval Scenario= is clobbering your as Scenario so you are losing your main data element. Second, you really don't need to append anything. Give this a try:

|stats avg(time_taken) as Scenario
count(eval(time_taken =0)) as "Calls returning in 0 time" 
count(eval(time_taken > 0 AND time_taken <= 15)) as "Calls returning between 1 and 15 time"
count(eval(time_taken > 16 AND time_taken <= 30)) as "Calls returning between 16 and 30 time"
count(eval(time_taken > 31 AND time_taken <= 45)) as "Calls returning between 31 and 45 time"
count(eval(time_taken > 46 AND time_taken <= 60)) as "Calls returning between 46 and 60 time"
count(eval(time_taken > 61 AND time_taken <= 100)) as "Calls returning between 61 and 100 time"
count(eval(time_taken > 101 AND time_taken <= 200)) as "Calls returning between 101 and 200 time"
count(eval(time_taken > 201 AND time_taken <= 300)) as "Calls returning between 201 and 300 time"
count(eval(time_taken > 300)) as "Calls returning more than 300"

View solution in original post

woodcock · ‎10-12-2015

First of all, your eval Scenario= is clobbering your as Scenario so you are losing your main data element. Second, you really don't need to append anything. Give this a try:

|stats avg(time_taken) as Scenario
count(eval(time_taken =0)) as "Calls returning in 0 time" 
count(eval(time_taken > 0 AND time_taken <= 15)) as "Calls returning between 1 and 15 time"
count(eval(time_taken > 16 AND time_taken <= 30)) as "Calls returning between 16 and 30 time"
count(eval(time_taken > 31 AND time_taken <= 45)) as "Calls returning between 31 and 45 time"
count(eval(time_taken > 46 AND time_taken <= 60)) as "Calls returning between 46 and 60 time"
count(eval(time_taken > 61 AND time_taken <= 100)) as "Calls returning between 61 and 100 time"
count(eval(time_taken > 101 AND time_taken <= 200)) as "Calls returning between 101 and 200 time"
count(eval(time_taken > 201 AND time_taken <= 300)) as "Calls returning between 201 and 300 time"
count(eval(time_taken > 300)) as "Calls returning more than 300"

ljohnson_possib · ‎10-12-2015

Thanks...this logic got the main data needed for the dashboard I am building. Something I haven't had since I began a week ago. The results are given all on a single row (one line of output). I am hoping to have the results in one column. This way I can use the pie chart in my dash.

woodcock · ‎10-12-2015

For a 1 column, just add this:

... | transpose

ljohnson_possib · ‎10-12-2015

That worked absolutely perfect.

ljohnson_possib · ‎10-12-2015

By the way woodcock thanks a million for the answer. If I cannot get my pie chart to work, I will find a way to make the one line result work in the dashboard.

multiple subsearch using appendpipe

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...