Removing the dedup from your original suggestion seems to have cleared up the weird issue i was I should have noticed that dedup counters your goal. (I copied from your original illustration wit...
See more...
Removing the dedup from your original suggestion seems to have cleared up the weird issue i was I should have noticed that dedup counters your goal. (I copied from your original illustration without considering implications in time interval.) You are correct, this is one more reason you don't want to throw dedup around. Is there an easy way to instead of having a individual line for each "missing" pod, to either have a single line with the total count of "non-critical" pods and possibly also have two lines for "critical" and "non-critical"? First, let's clarify that your goal is to count the number of missing pod groups by importance. Something like this should do: index=abc sourcetype=kubectl
| lookup pod_list pod_name_lookup as pod_name OUTPUT pod_name_lookup
| where sourcetype == "kubectl"
| bin span=1h@h _time
| stats values(pod_name_lookup) as pod_name_lookup values(pod_name_all) as pod_name_all by importance _time
| append
[ inputlookup pod_list
| rename pod_name_lookup as pod_name_all]
| eventstats values(pod_name_all) as pod_name_all importance
| eval missing = if(isnull(pod_name_all), pod_name_all, mvappend(missing, mvmap(pod_name_all, if(pod_name_all IN (pod_name_lookup), null(), pod_name_all))))
| where isnotnull(missing)
| timechart span=1m@m dc(missing) by importance Here is an emulation. | makeresults format=csv data="_time, pod_name, importance
10,apache-12, critical
22,apache-2, critical
34,kakfa-8, critical
80,superapp-13, critical
88,someapp-6
160,grafana-backup-11
166,apache-4, critical
168,kafka-6, critical
566,apache-4, critical
568,kafka-6, critical
174,someapp-2
250,grafana-backup-6
374,anotherapp-10"
| fillnull importance value=non-critical
| eval _time = now() - _time
| eval sourcetype = "kubectl"
| eval pod_name_lookup = replace(pod_name, "\d+", "*")
``` the above emulates
index=abc sourcetype=kubectl
| lookup pod_list pod_name_lookup as pod_name OUTPUT pod_name_lookup
| dedup pod_name
```
| where sourcetype == "kubectl"
| bin span=1m@m _time
| stats values(pod_name_lookup) as pod_name_lookup values(pod_name_all) as pod_name_all by importance _time
| append
[makeresults format=csv data="namespace, pod_name_lookup, importance
ns1, kafka-*, critical
ns1, apache-*, critical
ns2, grafana-backup-*, non-critical
ns2, someapp-*, non-critical"
``` subsearch thus far emulates
| inputlookup pod_list
```
| rename pod_name_lookup as pod_name_all]
| eventstats values(pod_name_all) as pod_name_all by importance
| eval missing = if(isnull(pod_name_all), pod_name_all, mvappend(missing, mvmap(pod_name_all, if(pod_name_all IN (pod_name_lookup), null(), pod_name_all))))
| where isnotnull(missing)
| timechart span=1m@m dc(missing) by importance