![]() span1m time stats count by time timechart span1h avg(count) This. Because eval works on a row by row basis, attempting to. eval lets you assign a value to a new field on each result (row / record) based on values of other fields in each result and functions applied to the same. ![]() Is this correct? The reason I'm asking is because I see a "Compliant" field and a "NonCompliant" field in the foreach command, and I'm not sure how they come into play. In both cases, we can add span1m to timechart, and we would know that each bar. The issue at hand I think is an understanding of the differences between eval and chart. I'm operating under the assumption that we're working with these two fields for this search: The reason it fails to recognize count of statusCategory="Fail" is because the search pipe and the stats pipe removes all instances of fail statuses from the data. Since you renamed the count field, you have to use the new name n the calculation. The first line is just to build an event which contains your data, the rex and the stats will do the work.Hello again rashi! No problem at all, it is my intention to help out however I can. In case you want count of tag to appear as a field for each event (counting no of tag for each event), in MuS answer, replace 'stats count by tagid' to 'eval tagcountmvcount (tagid)'. If it's the former, are you looking to do this over time, i.e. What I am trying to get is a count of each of the values that are. | rex field=foo max_match=0 "(?\(TagID\))" Are you looking to calculate the average from daily counts, or from the sum of 7 days worth This is the confusing part. I have a table like this that is generated by a stats values (value1) values (value2) values (value3) values (value4) by host. For instance, in the previous example, the fields could be extracted using: rex '
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |