I have a search that compares values in two files and comes up with duration it took to process a job.
index=abc sourcetype=abc source=PRD | eval otime=strptime(pub_date,"%Y-%m-%d %H:%M:%S") | join jobid [search index=abc sourcetype=abc_response source=PRD | eval "Response_Status"=status | eval rtime=strptime(comp_date,"%Y-%m-%d %H:%M:%S")] | eval d=rtime-otime | eval Duration=d/60 |table jobid,Duration,| reverse
Jobid is individual and will only appear once. The output is then graphed in dashboard. At the moment all columns in graph are blue. I need the columns to be either green or red depending if duration is greater or less than 15. It should be green if duration < 15 and red if duration > 15
Tried adding additional eval but it throws error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). None of these seem to work for me.
index=abc sourcetype=abc source=PRD | eval otime=strptime(pub_date,"%Y-%m-%d %H:%M:%S") | join jobid [search index=abc sourcetype=abc_response source=PRD | eval "Response_Status"=status | eval rtime=strptime(comp_date,"%Y-%m-%d %H:%M:%S")] | eval d=rtime-otime | eval Duration=d/60 |eval urgent = duration > (15*60) |table jobid,Duration,| reverse
Any help much appreciated.
... View more