Some Device_Info are merging in the result instead of one device_info per row it is two device_info per row   ... View more

Thanks ... View more

actually I have attached sample. You can consider year as "2002" instead of 2000.   |rex field=_raw "(?<message>OFF.*)|((?<sensor>Battery).*?(?<zone>\w+_ZONE))" |eval Device_ID=mvindex(split(source,"/"),5) |table Device_ID _time message sensor zone |where isnotnull(sensor) OR isnotnull(zone) OR isnotnull(message) |sort 0 Device_ID _time |streamstats current=f last(_time) as last_time1 last(zone) as last_zone by Device_ID |eval timestamp=strftime(last_time1,"%Y-%m-%d %H:%M:%S") |eval def=case(zone="INTERVENTION_ZONE" AND last_zone="SAFE_ZONE","Changed",zone="SAFE_ZONE" AND last_zone="INTERVENTION_ZONE","Changed",zone="LOWER_THRESHOLD_ZONE" AND last_zone="UPPER_THRESHOLD_ZONE","Changed") |eval time_off=if(message=="OFF",_time,null()) |filldown time_off | eval diff=if(def=="Changed",_time-time_off,null()) | chart sum(diff) by Device_ID, sensor   ... View more

to capture the proportion of time the device spends within each temperature zone. The way you could calculate this is by taking the difference between the timestamps indicating changes to different temp zones. Then, we will have the proportion of time the different locations (battery, etc.) spent at each temp zone (proportions add up to 1 for each individual device). So this would be interesting to see if there are devices that spend an uncharacteristically high amount of time in the “failsafe” zone, and things of that sort. ... View more

|rex field=_raw "(?<message>OFF.*)|((?<sensor>Battery).*?(?<zone>\w+_ZONE))" |eval Device_ID=mvindex(split(source,"/"),5) |table Device_ID _time message sensor zone |where isnotnull(sensor) OR isnotnull(zone) OR isnotnull(message) |sort 0 Device_ID _time |streamstats current=f last(_time) as last_time1 last(zone) as last_zone by Device_ID |eval timestamp=strftime(last_time1,"%Y-%m-%d %H:%M:%S") |eval def=case(zone="INTERVENTION_ZONE" AND last_zone="SAFE_ZONE","Changed",zone="SAFE_ZONE" AND last_zone="INTERVENTION_ZONE","Changed",zone="LOWER_THRESHOLD_ZONE" AND last_zone="UPPER_THRESHOLD_ZONE","Changed") |eval time_off=if(message=="OFF",_time,null()) |filldown time_off | eval diff=if(def=="Changed",_time-time_off,null()) | chart sum(diff) by Device_ID, sensor   This is the query I have tried. Expectation: Grouped bar plot showing the proportion/amount of time an individual handset's systems spends within each Thermal zone. X axis - Thermal zone  (different zones) Y axis - proportion/amount of time spent in Thermal zone "x" Grouping - System being tracked (list of systems to the left) Include ability to filter/search for which device ID is being shown. I envision only one device able to be shown at once. Also want to be able to filter data by timeframe and/or ability to select individual inspections / boot cycles ... View more

 when i am using above query, it is showing more than one day like 142665.362 seconds and also it is showing negative time like -4321580.332 seconds, but when i am checking manually the difference is maximum1day why its showing that much difference(seconds).           ... View more