Hello Community,
I evaluate the values of a single field which comes with values such as: OUT; IN; DENIED and can get counters for each of those values.
Now I want to subtraction "OUT" minus "IN" ( or maybe even minus "DENIED")
index="application-license" sourcetype=application License_User_device=* License_feature_status=* License_user=*
| fields _time,License_user,License_User_device, License_feature_status,License_feature,tag,eventtype,
| eval User=(License_user)
| eval LicenseTaken-OUT=mvfilter(match(License_feature_status, "OUT$"))
| eval LicenseTaken-IN=mvfilter(match(License_feature_status, "IN$"))
| eval LicenseTaken-DENIED=mvfilter(match(License_feature_status, "DENIED$"))
| eval LicenseTaken=(License_feature_status)
| eval LicenseTaken-AVG=mvfilter(match(License_feature_status, "OUT$") OR match(License_feature_status, "IN$") )
| eval License_feature=(License_feature)
| eval Time=strftime(_time, "%d-%m-%Y %H:%M:%S")
| bucket Time span=100d
| timechart count(LicenseTaken-OUT) as "Application-LicenseTaken(OUT)" count(LicenseTaken-IN) as "Application-LicenseTaken(IN)" count(LicenseTaken-DENIED) as "Application-License-DENIED" count(LicenseTaken) as "Application-License Taken(sum)" count(LicenseTaken-AVG) as "License_avg" | predict License_avg algorithm=LLT upper40=high lower40=low future_timespan=45 holdback=3
in above sample ... I like to implement:
| eval LicenseTaken=(License_feature_status) - | eval field1=mvfilter(match(field, "IN$"))
or
.... mvfilter(match(License_feature_status, "OUT$")) MINUS mvfilter(match(License_feature_status, "IN$"))
Field substraction wasn't working; turned back always 0 (zero)
Any ideas?
thanks in advance
Kai
... View more