Hi,
Stats count does not count all instances of variables when I use it with transactions.
Search string:
index=alto-alpha (version version=*) OR PresentationStopReason | transaction host startswith=version | search PresentationStopReason
gives the following results:
2015-08-11 08:25:07.458 Info: Starting Proximity Desktop version="desktop-1.0.0-Alpha47" OS_TYPE="osx" QT_VERSION="5.3.2" OSX_VERSION="OS X Mavericks (10.9)"
2015-08-11 09:37:37.877 Info: Connection to endpoint lost, and presentation stopped. PresentationStopReason=NetworkLost
host = 144f9ce211086089578cff547fcb17ae sourcetype = syslog_osx_qt
level="Info" uptime=000.001 Starting Proximity Desktop version="desktop-1.0.0-Alpha39" OS_TYPE="win"
level="Info" uptime=1887.327 EndpointControlAction=StopSharing PresentationStopReason=UserInput
host = dbb672153803a6d8386f0b5839697ab5 sourcetype = syslog_win_qt
2015-08-10 16:39:44.975 Info: Starting Proximity Desktop version="desktop-1.0.0-Alpha47" OS_TYPE="osx" QT_VERSION="5.3.2" OSX_VERSION="OS X Yosemite (10.10)"
2015-08-10 16:56:39.911 Info: EndpointControlAction=StopSharing PresentationStopReason=UserInput
host = 3bcefedc3125186c883196f74c99cdb8 sourcetype = syslog_osx_qt
2015-08-10 16:14:38.144 Info: Starting Proximity Desktop version="desktop-1.0.0-Alpha47" OS_TYPE="osx" QT_VERSION="5.3.2" OSX_VERSION="OS X Yosemite (10.10)"
2015-08-10 16:15:04.600 Info: Pairing to endpoint lost, and presentation stopped. PresentationStopReason=PairingLost
2015-08-10 16:15:17.717 Info: Pairing to endpoint lost, and presentation stopped. PresentationStopReason=PairingLost
2015-08-10 16:15:33.252 Info: Pairing to endpoint lost, and presentation stopped. PresentationStopReason=PairingLost
2015-08-10 16:15:40.505 Info: Pairing to endpoint lost, and presentation stopped. PresentationStopReason=PairingLost
2015-08-10 16:15:48.252 Info: Pairing to endpoint lost, and presentation stopped. PresentationStopReason=PairingLost
2015-08-10 16:48:40.083 Info: EndpointControlAction=StopSharing PresentationStopReason=UserInput
host = 8f8567f4c2d021e1e7f79132f90bceae sourcetype = syslog_osx_qt
2015-08-10 16:13:44.281 Info: Starting Proximity Desktop version="desktop-1.0.0-Alpha47" OS_TYPE="osx" QT_VERSION="5.3.2" OSX_VERSION="OS X Yosemite (10.10)"
2015-08-10 16:13:49.741 Info: Pairing to endpoint lost, and presentation stopped. PresentationStopReason=PairingLost
2015-08-10 16:13:58.410 Info: Pairing to endpoint lost, and presentation stopped. PresentationStopReason=PairingLost
2015-08-10 16:14:09.546 Info: Pairing to endpoint lost, and presentation stopped. PresentationStopReason=PairingLost
host = 8f8567f4c2d021e1e7f79132f90bceae sourcetype = syslog_osx_qt
2015-08-10 16:13:12.804 Info: Starting Proximity Desktop version="desktop-1.0.0-Alpha47" OS_TYPE="osx" QT_VERSION="5.3.2" OSX_VERSION="OS X Yosemite (10.10)"
2015-08-10 16:13:20.478 Info: Pairing to endpoint lost, and presentation stopped. PresentationStopReason=PairingLost
2015-08-10 16:13:29.461 Info: Pairing to endpoint lost, and presentation stopped. PresentationStopReason=PairingLost
host = 8f8567f4c2d021e1e7f79132f90bceae sourcetype = syslog_osx_qt
There are 14 instances of the PresentationStopReason field in the results. When adding |stats count by PresentationStopReason to the search string, the result is as following:
index=alto-alpha (version version=*) OR PresentationStopReason | transaction host startswith=version | search PresentationStopReason | stats count by PresentationStopReason
PresentationStopReason count
NetworkLost 1
PairingLost 3
UserInput 3
Giving a total of 7 instances of PresentationStopReason, when there should be 14. Stats count is not working the way I expect. How can I count all the instances of PresentationStopReason? PairingLost should be 10.
... View more