Hello
I am trying to do a 24hr and 31 days chart for the threshold value which will be as a output of this table. Now the below code gives me threshold value for each workgroup. I now need to create a timechart which mentions about the number of times the threshold for a particular workgroup(A) is exceeded.
index=xxxx search_name="xxxx" | rename record_assignmentGroup as A | eval mybucket=case(date_hour<4,1,date_hour<8,2,date_hour<12,3,date_hour<16,4,date_hour<20,5,date_hour>0,6) | stats count as I by A, mybucket,date_mday,date_month,date_year | delta I as D | eval D = abs(D) | eventstats avg(I) as xbar, avg(D) as mbar by A | eval threshold = xbar + (2.66*mbar) | eval threshold=coalesce(threshold,0) | dedup A | fields A threshold | table A threshold
I made use of macro and now the search is
index=xxxx search_name="xxxx" | `bucket_incident` | `threshold_incident`|
It's just a shorter version of the first one.
Output:
A threshold
Regards
theou
... View more