Hi, With the below query i am able to list the country and request count by response time split. wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress| eval Latency=case(wall_time<500, "0-0.5s", wall_time>=500 AND wall_time<1000, "0.5s-1s",wall_time>=1000 AND wall_time<3000, "1s-3s", wall_time>=3000 AND wall_time<6000, "3s-6s",THREAD_WALL_MS>=4000 AND wall_time<10000, "6s-10s",wall_time>=10000 AND wall_time<30000, "10s-30s", wall_time>=30000, ">=30s")| chart span=1w count as RequestCount over Country by Latency | sort -RequestCount, -Latency But the query seems to be resulting 1 row with no value for the country field. Why is it so ? Anything i am missing out ? ... View more

Hi, I have a query which should ideally give me results for the Last week and the current week Request count. index=data earliest=-1w@w latest=now | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s",walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s",walltime>=4000 AND walltime<10000, "6s-10s",walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s")| timechart span=1w count as RequestCount by Latency When represented in a single value, it should result me single value of current week along with trendline compared with previous week. But the above query results for both previous week & latest week not the recent 3 days in current week, which is wrong. Here is the preview of the result How do i represent only the current week's result value alone displayed compared with previous week to show how much in percent less/more the count is ? Also is it possible to schedule this as a search and have it indexed in summary index. For example, Say every week, i run a query to get that week's result in the name "Previous_week", how do i compare with current week result with the summarized result under the source "Previous_week" ? ... View more

Hi, I have a dashboard with multiselect input, <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="metric" searchWhenChanged="true"> <label>Metric</label> <choice value="show_latency">Latency</choice> <choice value="show_throughput">Throughput</choice> <choice value="show_error">Error</choice> <choice value="*">All</choice> <delimiter> </delimiter> <change> <condition label="Latency"> <set token="show_latency">true</set> <unset token="show_throughput"></unset> <unset token="show_error"></unset> </condition> <condition label="Throughput"> <unset token="show_latency"></unset> <set token="show_throughput">true</set> <unset token="show_error"></unset> </condition> <condition label="Error"> <unset token="show_latency"></unset> <unset token="show_throughput"></unset> <set token="show_error">true</set> </condition> <condition label="All"> <set token="show_latency">true</set> <set token="show_throughput">true</set> <set token="show_error">true</set> </condition> <condition match="isnull(value)"> <unset token="latency"></unset> <unset token="throughput"></unset> <unset token="error"></unset> </condition> </change> </input> </fieldset> <row> <panel depends="$show_latency$"> </panel> <panel depends="$show_latency$"> </panel> </row> <row> <panel depends="$show_throughput$"> </panel> <panel depends="$show_throughput$"> </panel> </row> The probelm here is if i select Latency first, the panels of Latency gets selected. If I select Throughput first and Latency - second , Latency doesnt get displayed. Could someone please help me out here ... View more

I have requirement where in i have to display in a timerange, what is the peak number of request per min and corresponding max response time during that min Below is the query which gives me the for a span 1 min what was the count of thread and max response time for the selected timerange host=test, index=prod | timechart count(R) as ThreadCount, max(response_time) as ResponseTime by host_type In above result i would like to get what was the peak numbr of request the host_type was able to handle and what was the maximum response time when it was handling the peak request. something similar to below, host=test, index=prod | timechart count(R) as ThreadCount, max(response_time) as ResponseTime by host_type|streamstats max(ThreadCount) as MaxThreadCount by host_type|sort +ThreadCount |stats first(ResponseTime) as CorrespondingResponseTime |where ThreadCount=MaxThreadCount|table MaxThreadCount, CorrespondingResponseTime I am pretty sure something wrong in my query. Could you please help me in getting the peak number of request the host_type was able to handle and what was the maximum response time when it was handling the peak request. ... View more

I have a lookup file in below format Product|R AAAA|/ffff/* I have some events i like R="/fff/abc" and some like R="/ffff/xyz.jsp" Using this query i am able to fetch R counts index=prod* |search [|inputlookup product-dashboard-lookup.csv |fields R ]|stats count as Rcount by R Result for the above query is R | Rcount /fff/abc|10 /fff/xyz.jsp | 10 But i would like to get by Product instead of R something like below AAAA | 20 How do i achieve this ? ... View more

I am trying to build panel which will show when GC occurred and what was the CPU time when GC occurred & before GC occurred. The problem is the search queries need to be build from two different sources. Below are the queries Time at which GC occurred index=gc host =testserver sourcetype="gc" "GC (Allocation Failure)" |table _time Thread CPU time across the server index=appln host=testserver | timechart span=5m sum(THREAD_CPU_MS) as CUM_THREAD_CPU_MS How do i combine both into one chart ? ... View more

Hi , I have a token $hosstype$ which will get values as 'web', 'rpt' etc. If All option is selected the value to be passed to $tokenhost$ should be "prod-$hosttype*". How do i assign value as concatenated string with another token ? <label>$server$</label> <search> <query>index=app sourcetype=app_gc_log host="prod-$hosttype$*"| dedup host |sort host | table host</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <choice value="prod-$hosttype$*">All</choice> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <valuePrefix>host=</valuePrefix> <delimiter> OR </delimiter> </input> ... View more