Hi,
i have the following search query:
index=project_omega host=PersistUBS | transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." | search "Error" OR "Attempt 3...unsuccessful." | eval interval=relative_time(_time,"@d") | eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0) | stats sum(isFailure) as failures | rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=15
But it's showing as N/A instead of a number, please can someone suggest why this is?
Hi markthompson,
based on @martin_mueller 's answer and my comment, I did some research and tests, how this could be done without use of a sub search. It took a while, but here is what you can try and it should handle the case when there are no events at all during the search time range:
index=project_omega host=PersistUBS
| transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully."
| search "Error" OR "Attempt 3...unsuccessful."
| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0)
| stats count AS myCount sum(isFailure) as failures
| eval failure=if(myCount=="0",0,failure)
| rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=15
hope this helps ...
cheers, MuS
Hi markthompson,
based on @martin_mueller 's answer and my comment, I did some research and tests, how this could be done without use of a sub search. It took a while, but here is what you can try and it should handle the case when there are no events at all during the search time range:
index=project_omega host=PersistUBS
| transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully."
| search "Error" OR "Attempt 3...unsuccessful."
| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0)
| stats count AS myCount sum(isFailure) as failures
| eval failure=if(myCount=="0",0,failure)
| rangemap field=failures low=0-0 elevated=1-2 severe=3-15 default=15
hope this helps ...
cheers, MuS
The sum of "nothing" is not zero, it's "nothing" or rather null. To fix that, you could include this before the stats:
... | eval isFailure=... | append [stats count | eval isFailure=0] | stats sum(isFailure) as failures | ...
That'll make sure there always is at least one zero to sum up, guaranteeing a numeric sum.
Post it here and let the world be your critic?
When there are zero events that eval would be run zero times 😛
btw, just found a way to do this without append
and it works with or without finding results. If it's okay I'll mail you the search so you can verify this twisted search 🙂
true .. 🙂
Just asking: why not a simple isnull
eval instead of the appended subsearch?
...| eval isFailure=if(isnull(isFailure),"0",isFailure) | ...
Make sure you set the default range to something other than 15
, probably default=critical
or something like that.
Also note you're calculating an interval
field but not using it.
Hi markthompson,
what will happen if you try something like this:
index=project_omega host=PersistUBS
| transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully."
| search "Error" OR "Attempt 3...unsuccessful."
| eval interval=relative_time(_time,"@d")
| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0)
| stats sum(isFailure) as failures
| eval failuresCategory = case(failures=0,"low",failures<3,"elevated",failures>=3,"severe")
| table failuresCategory
Maybe this will help you to get to the point.
cheers, MuS
Doesn't sound like a rangemap issue, this is the value showing N/A rather than the colour, right?
Make sure there actually are matching events in the time range to have something to sum up.
There are no events in Today that have failed, so it should default to low (green). Any ideas why it's not doing so?
Basically what @MuS said:
... | eval range = case(failures=0,"low",failures<3,"elevated",failures>=3,"severe")
I've tried this and then it still says N/A on my dashboard.
Current string:
index=project_omega host=PersistUBS | transaction startswith="Targeting file BP_Comp_Summ_Pos*" endswith="Server returned an error: No such file or folder" OR "The file was downloaded successfully." | search "Error" OR "Attempt 3...unsuccessful."
| eval interval=relative_time(_time,"@d")
| eval isFailure=if(searchmatch("Error") OR searchmatch("Attempt 3...unsuccessful."),1,0)
| stats sum(isFailure) as failures
| eval failuresCategory = case(failures=0,"low",failures<3,"elevated",failures>=3,"severe")
| eval range = case(failures=0,"low",failures<3,"elevated",failures>=3,"severe")
Use eval to compute a field called range using the case suggested by @MuS and you'll have the same behaviour as rangemap, including dashboard visualizations using the field value as a CSS class.
Hey Martin, can you please give me an example of the string you would use and I'll mark it as answer if it works.
Hi MuS Thanks for this answer.
However, I wish to use the rangemap command as it's configured on the dashboard to create a traffic light based on the level (low, elevated or severe)