I'm trying to list the last logged event for each permutation of my two logged fields (columns). If the last event was too long ago, I want to output "dead" for that combination of the two columns.
My queries thus far are using eval with if. However I can't get the if statement to work with my column values.
If I make a dummy query,
hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(1>0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)
This will output "dead", because 1 > 0 evaluates to true. That seems right ! 🙂
However, this one doesn't work:
hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(max(timestamp)<0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)
What happens is, the value in the predicate of the "if" always evaluates to false.
This one doesn't work either:
hello_world_name=* host=* | stats max(timestamp) as bob by hello_world_name, host | eval awol=if(bob>now(),"dead","live") | fields hello_world_name, host, awol, bob
What happens is, even though "bob" is a real value, as evidenced by the column labeled "bob", no matter if the predicate is set "bob>now()" or "bob<now()", the answer is always as if it is false - the value of awol is "live".
What is the deal? Am I using eval incorrectly? How do I test fields from elsewhere in the query?
timestamp is still a string, and even max(timestamp) is still a string. It looks like when comparing against integers the answer will always be false.
Ways around this:
timestamp is still a string, and even max(timestamp) is still a string. It looks like when comparing against integers the answer will always be false.
Ways around this:
query:
hello_world_name=* host=* | stats max(timestamp) by hello_world_name, host | eval awol=if(max(timestamp)>0,"dead","live") | fields hello_world_name, host, awol, max(timestamp)
result:
hello_world_name host awol max(timestamp)
1 inabanoirousagi live 2015-02-04 03:32:32,910
bloobloo inabanoirousagi live 2015-06-18 21:16:43,910
fnord inabanoirousagi live 2015-06-17 20:43:20,860
query:
hello_world_name=* host=* | stats max(timestamp) as bob by hello_world_name, host | eval awol=if(bob>now(),"dead","live") | fields hello_world_name, host, awol, bob
result:
hello_world_name host awol bob
1 inabanoirousagi live 2015-02-04 03:32:32,910
bloobloo inabanoirousagi live 2015-06-18 21:16:43,910
fnord inabanoirousagi live 2015-06-17 20:43:20,860
As @martin_mueller says, there are many fundamental problems with your search including all that he notes but even if everything that he notes is fixed, any time you compare an event's timestamp to now()
, it should always be less than; your example is looking for events in the future than have not occurred yet! >now()
!
Some how my answer got clipped; it is repaired now.
Thanks woodcock, but that is not the problem. As I mentioned in the text of my question,
What happens is, even though "bob" is
a real value, as evidenced by the
column labeled "bob", no matter if the
predicate is set "bob>now()" or
"bob if it is false - the value of awol is
"live".
There's a key misunderstanding in your query.
If a host is "dead", ie has no events in your time range, there won't be any events in your time range. As a result, it won't even have a row to evaluate the awol
value for that host.
Another issue, what format is your timestamp
field using? Comparing now()
with a string won't make sense, for example.
I'm sorry, I think I left out a key element which I thought would be implied by the fields in the query.
There will be events - they will just be old. My intention is for the final version of the query to test "timestamp" for its difference from now(). For example something like:
if (max(timestamp - now()) > 600, ...
try adding something like this after your stats command:
| eval awol = max(timestamp)
| table awol
That will show you what awol is calculating to and you can then adjust accordingly.
Thanks, but the "fields" clause already shows the values -- they are how I know the predicate isn't doing what I want.