In the following search I want to have the average for the events where GB_w is < 15 days | stats earliest(A_Z) AS A_Z earliest(D_A) AS D_A | eval eA_Z=strptime(A_Z,"%Y-%m-%d %H:%M:%S.%N") | eval eD_A_I=coalesce(strptime(D_A, "%Y-%m-%d %H:%M:%S.%N"),now()) | eval GB_w=floor((eD_A_I-eA_Z)/86400) | chart avg(GB_w) As GDA | eval GDA=round(GDA,0) I thought i could use something like this: | eval GB_w=floor((eD_A_I-eA_Z)/86400) |where GB_w <15 | chart avg(GB_w) As GDA | eval GDA=round(GDA,0) Somehow the result is 0. It also seems that the search always uses the 'now'time, even if there is a D_A time present in the event. What am i doing wrong? ... View more

Hi, I have a single value in my dashboard, i want users to be able to drilldown on this value. When they do a new search has to be executed. We run version 6.5.2 so we dont yet have the drilldowneditor. I thougt i just could add this to the source: drilldown> search?q=index=zzz earliest=-h sourcetype= "xxx" OR sourcetype="yyyy" | eval eA_Z=strptime(A_Z,"%Y-%m-%d %H:%M:%S.%N") | eval eD_A_I=coalesce(strptime(eD_A_I, "%Y-%m-%d %H:%M:%S.%N"),now()) | eval G_w =floor((eD_A_I-eA_Z)/86400) | search G_w <= 14 But this does not work. Why not? ... View more

I've got the followingsearch: | stats values earliest(AG_Z) AS A_Z values earliest(D_AG) AS D_A_I | eval eA_Z=strptime(A_Z,"%Y-%m-%d %H:%M:%S.%N") | eval eD_A_I=coalesce(strptime(D_A_I, "%Y-%m-%d %H:%M:%S.%N"),now()) | eval G_w=floor((eD_A_I-eA_Z)/86400) | search G_w > 14 | timechart span=1w avg(G_w) As GDA Somehow this does not give any results, when ik remove the first line (| stats values earliest(AG_Z) AS A_Z values earliest(D_AG) AS D_A_I ) It does, but i need to use the earliest dates. How can i fix this so i use the earliest dates and generate a single value with trend? ... View more

I have read a lot of other questions about this matter but i just can't get it running. Ik have this search": index=xxxx | stats values earliest(G_S) AS G_S values earliest(A_Z) AS A_Z values earliest(D_A) AS D_A_I count by ZMV | eval eG_S=strptime(G_S,"%Y-%m-%d %H:%M:%S.%N"), eA_Z=strptime(A_Z, "%Y-%m-%d %H:%M:%S.%N") | eval eD_A_I=coalesce(strptime(D_A_I, "%Y-%m-%d %H:%M:%S.%N"),now()) | eval days=floor((eD_A_I-eA_Z)/86400) | stats count as daycount by days |eval days = abs(days) | eval days = if(days<=14,"Binnen KPI","Buiten KPI") | stats sum(daycount) as daycount by days The results are presented in a piechart, when i click i want to see the individual events. I have tried to do this with a token but i am stuck (again) . We are running version 6.5.2 ... View more

We work with version 6.5.2 and i only see three options ... View more