I am appending results from below query,which will display difererent objectype suppliedMaterial:
index="" source="" "suppliedMaterial" AND "reprocess event" |stats count | rename ...
See more...
I am appending results from below query,which will display difererent objectype suppliedMaterial:
index="" source="" "suppliedMaterial" AND "reprocess event" |stats count | rename count as ReProcessAPICall
| appendcols "" "suppliedMaterial" AND "data not found for Ids"| eval PST=_time-28800 | eval PST_TIME3=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=dataNotFoundIds path=dataNotFoundIds{}| stats values(*) as * by _raw | table dataNotFoundIds{},dataNotFoundIdsCount, PST_TIME3 | sort- PST_TIME3 ]
| appendcols [search index="" source="*" "suppliedMaterial" AND "sqs sent count" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath sqsSentCount output=sqsSentCount | stats values(*) as * by _raw | table sqsSentCount PST_TIME4 | sort- PST_TIME4 ]
| appendcols [search index="" source="" "suppliedMaterial" AND "request body" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=version path=eventBody.version | spath output=objectType path=eventBody.objectType | stats values(*) as * by _raw | table version, objectType ] | table objectType version dataNotFoundIdsCount sqsSentCount ReProcessAPICall
For Material
index="" source="" material" AND "reprocess event" |stats count | rename count as ReProcessAPICall
| appendcols*" "material" AND "data not found for Ids"| eval PST=_time-28800 | eval PST_TIME3=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=dataNotFoundIds path=dataNotFoundIds{}| stats values(*) as * by _raw | table dataNotFoundIds{},dataNotFoundIdsCount, PST_TIME3 | sort- PST_TIME3 ]
| appendcols [search index="" source="*" "material" AND "sqs sent count" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath sqsSentCount output=sqsSentCount | stats values(*) as * by _raw | table sqsSentCount PST_TIME4 | sort- PST_TIME4 ]
| appendcols [search index="" source="" "material" AND "request body" | eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=version path=eventBody.version | spath output=objectType path=eventBody.objectType | stats values(*) as * by _raw | table version, objectType ] | table objectType version dataNotFoundIdsCount sqsSentCount ReProcessAPICall
My actual is :
objectType
version
dataNotFoundIdsCount
sqsSentCount
ReProcessApiCall
suppliedMaterial
all
4
15
12
suppliedMaterial
latest
2
19
suppliedMaterial
all
3
11
Material
latest
6
10
Material
latest
5
4
Material
all
4
1
Material
all
2
3
My Expected is : Basically I needed to count the two fields (dataNotFoundIdsCount & ssqsSentCount based on what version whether 'all' or 'latest') from the previous queries . I am thinking to use the version as dynamic values , and bring conditional check in those queries to add the field values for each version and name it as dataNotFoundIdsCount_all ,dataNotFoundIdsCount_latest. Finally in the last query again check the version and show the sum Please advise if there's a easy way of doing this ..
objectType
version
dataNotFoundIdsCount
sqsSentCount
ReProcessApiCall
suppliedMaterial
all
4
15
12
suppliedMaterial
latest
2
19
Material
all
3
11
Material
latest
6
10