I dont understand how is possible that if i put my 2 search in a dashboard everything works.
Bu if in that dashboard i click the magnifying lens the research (the 2 researches together) comes out and it does not work any more.
It cannot evaluate the variable timing because AVGDuration is empty.
This is the full code:
(index and source) earliest=-31d latest=now (Result="OK" OR LogType ="START")
| eval EndTime = if(Result="OK", _time, null)
| eval StartTime = if(LogType ="START", _time, null)
| stats Latest(StartTime) as StartTime Latest(EndTime) as EndTime by PackageName ExecutionInstanceGUID
| eval Duration = (EndTime-StartTime)
| where (Duration != "" OR Duration >= 0)
| stats avg(EndTime) as AVGEndTime avg(Duration) as AVGDuration avg(StartTime) as AVGStartTime by PackageName | table PackageName, AVGDuration
| append [ search (index and source) earliest=-24h@h latest=now
| eval StartTime = if(LogType = "START", _time, null)
| eval EndTime = if(LogType = "END", _time, null)
| stats Latest(StartTime) as StartTime Latest(EndTime) as EndTime Latest(Result) as Result by PackageName ExecutionInstanceGUID
| eval EndTime = if(isnull(EndTime), now(), EndTime)
| eval duration = (EndTime-StartTime)
| where (duration != "" OR duration >= 0)
| table StartTime PackageName Result duration
| sort StartTime
|eval flag = 1
]
| eventstats values(AVGDuration) as AVGDuration by PackageName
| where flag=1
| fields - flag
| eval Timing = if(duration > AVGDuration, "InLate", "OnTime")
| eval Status = if(isnull(Result), Timing, Result)
| eval Duration = duration * 1000
I think the problem is that when the 2 searches come together, the first one (base) does not work anymore for some reason, but in the dashboard everything fine.
Please help.
... View more