Hello Community,
I evaluate the values of a single field which comes with values such as: OUT; IN; DENIED and can get counters for each of those values.
Now I want to subtraction "OUT" minus "IN" ( or maybe even minus "DENIED")
index="application-license" sourcetype=application License_User_device=* License_feature_status=* License_user=*
| fields _time,License_user,License_User_device, License_feature_status,License_feature,tag,eventtype,
| eval User=(License_user)
| eval LicenseTaken-OUT=mvfilter(match(License_feature_status, "OUT$"))
| eval LicenseTaken-IN=mvfilter(match(License_feature_status, "IN$"))
| eval LicenseTaken-DENIED=mvfilter(match(License_feature_status, "DENIED$"))
| eval LicenseTaken=(License_feature_status)
| eval LicenseTaken-AVG=mvfilter(match(License_feature_status, "OUT$") OR match(License_feature_status, "IN$") )
| eval License_feature=(License_feature)
| eval Time=strftime(_time, "%d-%m-%Y %H:%M:%S")
| bucket Time span=100d
| timechart count(LicenseTaken-OUT) as "Application-LicenseTaken(OUT)" count(LicenseTaken-IN) as "Application-LicenseTaken(IN)" count(LicenseTaken-DENIED) as "Application-License-DENIED" count(LicenseTaken) as "Application-License Taken(sum)" count(LicenseTaken-AVG) as "License_avg" | predict License_avg algorithm=LLT upper40=high lower40=low future_timespan=45 holdback=3
in above sample ... I like to implement:
| eval LicenseTaken=(License_feature_status) - | eval field1=mvfilter(match(field, "IN$"))
or
.... mvfilter(match(License_feature_status, "OUT$")) MINUS mvfilter(match(License_feature_status, "IN$"))
Field substraction wasn't working; turned back always 0 (zero)
Any ideas?
thanks in advance
Kai
UPDATE:
index="application-license" sourcetype=application License_User_device="*" License_feature_status="*" License_user="*"
| fields _time,License_user,License_User_device, License_feature_status,License_feature,tag,eventtype,
| rex max_match=0 field=License_fueature_status "\b(?<status>\w+$)"
| timechart span=1d count by status
| streamstats sum(OUT) as sOUT sum(IN) as sIN
| eval LicenseInUse=sOUT - sIN
| fields - s*
| outputlookup Minitab-Test-Calculation.csv
I see, How about this?
Hello,
and thanks again.
Unfortunately above suggestion doesn't work for me.... but it gave me more possible ideas how to handle the case.
(I adjusted as per below)
index="minitab-license" sourcetype=minitab License_User_device=* License_feature_status=* License_user=*
| rex max_match=0 field=License_feature_status "\b(?
| timechart span=1d count by status
| eventstats
,count(status="OUT") as "LicenseTaken_OUT"
,count(status="IN") as "LicenseTaken_IN"
,count(status="DENIED") as "LicenseTaken_DENIED"
| eval LicenseInUse=OUT - IN
| outputlookup Minitab-Test-Calculation.csv (export --just to see results)
So far so good
In above case I try to count "licenses" which are given "OUT" & taken back "IN"
So start with counter "0" --> "OUT or IN"
so would it be possible to carry on the previous result PLUS the | eval LicenseInUse=OUT - IN into another column
Hi, @knitz
my answer is updated
UPDATE:
index="application-license" sourcetype=application License_User_device="*" License_feature_status="*" License_user="*"
| fields _time,License_user,License_User_device, License_feature_status,License_feature,tag,eventtype,
| rex max_match=0 field=License_fueature_status "\b(?<status>\w+$)"
| timechart span=1d count by status
| streamstats sum(OUT) as sOUT sum(IN) as sIN
| eval LicenseInUse=sOUT - sIN
| fields - s*
| outputlookup Minitab-Test-Calculation.csv
I see, How about this?
Hello,
and thank you very much for your prompt response.
Unfortunately above suggestion doesn't work for me.... but it gave me more possible ideas how to handle the case.