How can i sum the value of 2 field that have similar server name without write each eval line. i am looking using foreach command to perform addtional operation by matching server name but fail. Appreciate if anyone can help?
Example :
lower95(prediction(serverA)) = lower95(prediction(serverA)) - stdev(prediction(serverA))
lower95(prediction(serverB)) = lower95(prediction(serverB)) - stdev(prediction(serverB))
upper95(prediction(serverA)) = upper95(prediction(serverA)) + stdev(prediction(serverA))
upper95(prediction(serverB)) = upper95(prediction(serverB)) + stdev(prediction(serverB))
My query :
index=winserver sourcetype="Perfmon:CPU" counter="% Processor Time" host= serverA OR host= ServerB
| timechart span=1h eval(round(avg(Value),2)) by host useother=f limit=0
| predict
[| search index=winserver object=Processor host= ServerA OR host= ServerB earliest=-7d@d latest=now()
| stats values(host) as listserver
| return $listserver] algorithm=LLP holdback=0 future_timespan=168 period=24 upper95=upper95 lower95=lower95
| eventstats stdev(prediction*)
|fields - HOE* predict*
Original data
_time lower95(prediction(serverA)) lower95(prediction(serverB)) stdev(prediction(serverA)) stdev(prediction(serverB)) upper95(prediction(serverA)) upper95(prediction(serverB))
7/1/2019 0:00 8.83 2.35 11.00 3.85 36.17 3.77
7/1/2019 1:00 9.94 0.97 11.00 3.85 36.54 4.99
7/1/2019 2:00 11.03 2.50 11.00 3.85 34.11 3.88
7/1/2019 3:00 8.38 2.23 11.00 3.85 34.52 4.15
7/1/2019 4:00 7.15 2.35 11.00 3.85 21.55 4.27
Expected output :
_time lower95(prediction(serverA)) lower95(prediction(serverB)) stdev(prediction(serverA)) stdev(prediction(serverB)) upper95(prediction(serverA)) upper95(prediction(serverB))
7/1/2019 0:00 -2.17 -1.50 11.00 3.85 47.17 7.62
7/1/2019 1:00 -1.06 -2.88 11.00 3.85 47.54 8.84
7/1/2019 2:00 0.03 -1.35 11.00 3.85 45.11 7.73
7/1/2019 3:00 -2.62 -1.62 11.00 3.85 45.52 8.00
7/1/2019 4:00 -3.85 -1.50 11.00 3.85 32.55 8.12
... View more