I build a query to fetch the long running jobs in Dashboard like as below. Here the $Time$ is a token which was selected from dropdown menu in that panel.
> | rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" |rex field=_raw "jobId: (?<jId>\w+);" | stats earliest(_time) as start latest(_time) as end by jId,sourcetype | eval diff=end-start |eval LB=$Time$*60 | eval UB=$Time$+1*60 | stats count(eval((diff> LB) AND (diff<UP))) as count|stats count
In dashboard it is showing some numbers (3 long running jobs). But when I clicked on that number it is going to the search tab with below query and not fetching any results.
> | rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" | rex field=_raw "jobId: (?<jId>\w+);" | stats earliest(_time) as start latest(_time) as end by jId,sourcetype | eval diff=end-start | eval LB=5*60 | eval UB=5+1*60 | stats count(eval((diff> LB) AND (diff<UB))) as count
But when I change the 'eval LB=5*60 | eval UB=5+1*60' to 'eval LB=300 | eval UB=360' it is fetching the results.
Here I am confused, is this right approach or not. Can anyone suggest me on this.
Hi @rkishoreqa, $Time$ token is processed as string, that is UB and LB fields become string.
Please try as below;
| rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" |rex field=_raw "jobId: (?<jId>\w+);" | stats earliest(_time) as start latest(_time) as end by jId,sourcetype | eval diff=end-start |eval LB=tonumber($Time$)*60 | eval UB=tonumber($Time$)+1*60 | stats count(eval((diff> LB) AND (diff<UP))) as count
If this reply helps you an upvote is appreciated.
Thanks Scelikok
it is working but I changed little bit - tonumber($Time$+1)*60
Hi @rkishoreqa, $Time$ token is processed as string, that is UB and LB fields become string.
Please try as below;
| rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" |rex field=_raw "jobId: (?<jId>\w+);" | stats earliest(_time) as start latest(_time) as end by jId,sourcetype | eval diff=end-start |eval LB=tonumber($Time$)*60 | eval UB=tonumber($Time$)+1*60 | stats count(eval((diff> LB) AND (diff<UP))) as count
If this reply helps you an upvote is appreciated.