Hi,
I have the following search, which is attempting to add up the number of dropped and processed syslog messages in each event, based on the field syslog_dest_host:
sourcetype="syslog-stats" | streamstats window=1 sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed
When this is run, however, I see that the sum is being taken over all values of syslog_dest_host in the event, rather than one sum per syslog_dest_host, eg:
host syslog_dest_host syslog_dropped Dest_Syslog_Dropped ...
host1 dest1 1 12
dest2 1
dest2 3
dest1 4
dest1 2
dest2 1
However, what I would like to see is:
host syslog_dest_host syslog_dropped Dest_Syslog_Dropped ...
host1 dest1 1 7
dest2 1 5
dest2 3
dest1 4
dest1 2
dest2 1
Is what I want even possible?
If not, is there a way to filter within the event, such that only the instances of syslog_dest_host and syslog_dropped are returned when syslog_dest_host=host1? I tried adding this to the search string "sourcetype=syslog-stats syslog_dest_host=host1", but because host1 appears somewhere in the event, the entire event is returned.
Rgds,
Brett.
I would get out of multivalue-land for this, even if you go back into multivalue fields at the end.
For example:
sourcetype="syslog-stats" | mvexpand syslog_dest_host | streamstats window=1 sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed
If you need to fold it back up the way it was at the end, then do this:
sourcetype="syslog-stats" | streamstats count as rowId | mvexpand syslog_dest_host | streamstats window=1 sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed | stats values(*) as * by rowId
Hello bro,
try the below search.
sourcetype="syslog-stats" | streamstats window=1 global=false sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed