As I write this I realize that what I want is likely not possible using this method. I want a fillnull (or similar) to happen before an eval. The eval is likely not even called if there are no even...
See more...
As I write this I realize that what I want is likely not possible using this method. I want a fillnull (or similar) to happen before an eval. The eval is likely not even called if there are no events in the timechart span I am looking at. I want the eval it to return a 1 when there are no events in that span.
This works, but is missing the eval.
index=main sourcetype=iis cs_host="site1.mysite.com" | timechart span=10s Max(time_taken) | fillnull value=1
This is what I am using. It works, except for when no events happen.
index=main sourcetype=iis cs_host="site1.mysite.com" | eval site1_up=if(sc_status=200,1,0) | timechart span=10s Max(site1_up)
This charts a 1 if there was at least one 200 response from site1.mysite.com in the 10s span. It charts a 0 if there were responses, but none were 200. If there are no matching events it is probably not even looked at and returns nothing and the chart looks like a 0. I want a 1 charted if there are no events in that 10s span.
Adding | fillnull value=200 sc_status after the timechart simply shows an extra column of sc_status at 200 in every span (column in the chart). Putting this before the eval does not work since I believe nothing is done without an event. It should also only use fillnull (or similar) if no events are in that 10 second span. I have also tried | append [| makeresults ] without success, but don't completely know how that would work.
Logically this is what I want. The reasoning for the up/down status is not important since this is simply an example.
For each 10s span in the timechart |eval Site1_up=1 if cs_host=A and at least one sc_status=200 |eval Site1_up=0 if cs_host=A and at no sc_status=200 |eval Site1_up=1 if there are no events matching cs_host=A |eval Site2_up =1 if cs_host=B and at least one cs_method=POST |eval Site2_up =0 if cs_host=B and at no cs_method=POST |eval Site2_up =1 if there are no events matching cs_host=B |eval Site3_up =1 if cs_host=C AND cs_User_Agent=Mozilla and at least one cs_uri_stem=check.asmx |eval Site3_up =0 if cs_host=C AND cs_User_Agent=Mozilla and no cs_uri_stem=check.asmx |eval Site3_up =1 if there are no events matching cs_host=C
I am trying to make a chart of the up(1)/down(0) status of various components, some of which are determined by the IIS logs.
Thanks