- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Is it possible to create a variable that would tri...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the timechart below, is there a way to create variable that would trigger if a daily count dropped by a hundred?
Example if East Florida count dropped from 807-799, is there a way to write an case statement that would show a 1?
index=cmdb Owner_Contact!="IS&O" Owner_Contact!="UNDEFINED LOCATION" Owner_Contact!="SM&D"|table Name Owner_Contact SystemRole OS Site Serial_Number IsVirtual Domain Total_Physical_Memory NumberOfProcessors _time | eval divown=case(Owner_Contact="Tristar" OR Owner_Contact="North Florida" OR Owner_Contact="East Florida" OR Owner_Contact="San Antonio" OR Owner_Contact="Healthtrust","John" , Owner_Contact="North Texas" OR Owner_Contact="Mid America" OR Owner_Contact="Central & West Texas" OR Owner_Contact="Far West" OR Owner_Contact="Mountain","Jase",Owner_Contact="Capital" OR Owner_Contact="West Florida" OR Owner_Contact="Continental" OR Owner_Contact="South Atlantic","David",1=1,"None")|search divown="John" |search Owner_Contact!="None"| timechart span=1d dc(Name) as "servers" by Owner_Contact|
_time East Florida Healthtrust North Florida San Antonio Tristar
2017-01-03T00:00:00.000-0600 761 0 1232 809 889
2017-01-04T00:00:00.000-0600 807 0 1232 808 887
2017-01-05T00:00:00.000-0600 807 0 1232 808 888
2017-01-06T00:00:00.000-0600 806 0 1233 808 879
2017-01-07T00:00:00.000-0600 806 0 1233 808 879
2017-01-08T00:00:00.000-0600 0 0 0 0 0
2017-01-09T00:00:00.000-0600 810 20 1234 808 879
2017-01-10T00:00:00.000-0600 0 0 0 0 0
2017-01-11T00:00:00.000-0600 812 164 1232 833 876
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this:
...|sort + _time|streamstats window=1 current=f last(*) as prev* by _time|foreach prev* [eval <<FIELD>>Alert='<<MATCHSTR>>'-'<<FIELD>>']|rename prev*Alert as *Alert|fields - prev*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this:
...|sort + _time|streamstats window=1 current=f last(*) as prev* by _time|foreach prev* [eval <<FIELD>>Alert='<<MATCHSTR>>'-'<<FIELD>>']|rename prev*Alert as *Alert|fields - prev*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try looking into streamstats which evaluates data in order rather than in aggregate. you would need to generate a table of count by time and by owner (similar to your timechart but im not sure you can use timechart) and then use a streamstats command to say something like "previousDay = last(coundDay)" which will generate a new field in each event equal to the value of countDay in the previous event. then check if it dropped by 100 or more between events using "eval dropTriggered = if(previousDay - countDay > 99,1,0)". it is important that you sort by time before sending the data through streamstats so that the "last" command references the events in the correct order (chronological)
Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...
IM Landing Page Filter - Now Available
Dynamic Links from Alerts to IM Navigators - New in Observability Cloud
