No they do not relate to each other - I am not sure why this just started happening - anyway the totalCapacity never changes so I could hardcode this value for now until I figure something out. ... View more

I have a follow up on this or should I start again? I can send the token and it works, but I am doing a search where one of the fields is a sum  Example stats sum(SizeGB) What the search is doing is getting the total number of Data uploaded for a Project and the report works great however I was want to send the figure as a token in the alert - I can send the project id but not the sum - I have tried $testresult.sum(SizeGB)$ and also I did an eval of the Sum and called it total_size and tried that as a token and it is just blank. ... View more

Thanks, worked great ... View more

Hey Rich that works and I get the total at the bottom but it shows every single column also. Example I had 98 Events and total was 157,000 but it shows every single event and the columns ... View more

Thanks This helps extracting the number - how do I do the sum at the end ? in 24 hours I could have 96 * 2000 file uploads ... View more

So basically I need the total number of files I uploaded in a 24 hour period once I get that figure extracted ... View more

So I am 99% there New Search Index=xxxxx "Starting iteration" OR "Stopping iteration" | timechart count spac=15m by Series | rex "Starting\siteration[\s\-]+[(?<start_reg_id>[^\s]+)" | rex "Stopping\siteration[\s\-]+(?<stop_reg_id>[^:\s]+)" | eval Start_Reg_ID=start_reg_id | eval Stop_Reg_ID=stop_reg_id   When I run I get a count of 2 - Which is the start and the stop of the same ID It shows the Time Stamp and a count of 2 - when I see the events it is correct What I need to do is tell me if it was over 15 mins - maybe I need to redo the Timespan or put more time comments in...sorry I am a newbe I have got the result and it collorates the start and finish but now how do I say over 15 mins thats long ... View more

So I have looked at my Events And it does have a Common Unique ID on each start and stop event Example Starting iteration - 17000000 Stopping iteration - 17000000 So I guess I need to extract that number and perform a duration for this. ... View more

So I have got it working 99% I did something like this Index=xxxxxx "Starting iteration" OR "Stopping iteration" | stats earliest(_time) as Start,latest(_time) as Stopped | eval Taken=tostring(Stopped-Start) | eval Taken=Taken/60 | eval Time_Taken=(if(Taken>15,"Not Good","Good")) | where Time_Taken="Not Good" | table Start Stopper Time_Taken Now it shows Not Good if over 15 mins The issue is how to set the alert properly - as if I set to check every 15 mins - it may overlap 2 starts - Example Started at 7pm and finished at 7.08pm Alert checks at like 7.25pm for the last 15 mins and it sees 7.08pm at Stopped then 7.15pm Start and maybe finished at 7.24pm - If that make sense to you guru's   ... View more

I have a question I Did this on an event and basically did the If command - that if above 15 mins then Output is BAD and if under 15 the. output is GOOD - This works. My question is I now want to search only the BAD and alert - so guess how do I start another search after I have run eval and got my BAD output? ... View more

So the Events basically have a start every 15 mins We have one event saying Starting and when it finishes within the 15 mins then it will says Stopped    once I know that time then I can alert the team IF it takes over 15 mins since it could be an issue ... View more

I will add - it is the same index but the 1st event is from one source type and the 2nd event from another source type (just different server logs)   ... View more

Thanks both of you - both work :-0) ... View more

Perfect - thank you so much ... View more

That kinda is correct but we are still doing is a Sum - For example I know ProjectID 855 uploads at least 50,000 times in a 30 day period - what I want is to just find the top 10 speeds and just list the Project ID of that single event but show the top 10 So Project 855 uploaded at 10 seconds then 1 second then 50 seconds...then Project 888 uploaded at 80 seconds then 90 seconds....   I just want to see Project 888 - 90 Project 888 - 80 Project 855 - 50 Project 855 - 10 Of course we have 00's of Projects so hopefully that makes sense 🙂 ... View more