For a certain time range, I want to group together the counts in a single row, divided into equal time slices. For example, for "-15m" I want see 5-minute counts something like this: index Last15MinCount Last10MinCount Last5MinCount APP1 100 123 345 APP2 32 55 60 The idea is for me to compare the Last5MinCount to the Avg of Last15MinCount and Last10MinCount. I could not find a suitable way of simplifying my query, but I got this instead (note: times shd have 'at'm; this forum links 'at' to members): index=* earliest=-15m | rex field=message "(?i)(?<ORG>[C]{0,1}+MS\w*)+(?i)\.(?<ENV>[dev|test|prod]+(-pci){0,1})\.+(?i)(?<APP>[\w-]+)" | rex field=_raw ".*(?<level>LEVEL)[\s\S]{0,5}(?<code>FATAL|ERROR|WARN|DEBUG|INFO).*" | eval time15=relative_time(now(), "-15m") | eval time10=relative_time(now(), "-10m") | eval time05=relative_time(now(), "-05m") | eval time00=relative_time(now(), "-00m") | eval etime=_time | eval Time=case(tonumber(etime)>tonumber(time15) AND tonumber(etime) <= tonumber(time10), "Last15", tonumber(etime)>tonumber(time10) AND tonumber(etime) <= tonumber(time05), "Last10", tonumber(etime)>tonumber(time05) AND tonumber(etime) <= tonumber(time00), "Last05") | stats count(eval(Time=="Last15E")) AS Last15 count(eval(Time=="Last10E")) AS Last10 count(eval(Time=="Last05E")) AS Last05 by APP This gives me the desired rows. My question is about these lines: | eval time15=relative_time(now(), "-15m") | eval Time=case(tonumber(etime)>tonumber(time15) AND tonumber(etime) <= tonumber(time10), "Last15" and | stats count(eval(Time=="Last15E")) AS Last15 can probably be combined into one line, but I could not find the most apropriate function. Any help in simplifying this would be appreciated. Thanks!
... View more