| where ((count = 1) AND (whiches = "START")) | rename COMMENT AS "INSERT YOUR LOGIC HERE, e.g." | eval runtime = if(runtime=0.0, now() - _time, runtime) | stats min(_time) AS _time values(JOBNAME) AS JOBNAME range(_time) AS runtime values(which) AS whiches count BY JOBID | rename COMMENT AS "Everything above generates sample event data everything below is your solution." | table _time JOBNAME Runtime AverageRuntime | eval AverageRuntime = round(AverageRuntime,2), _time=strftime(_time,"%m/%d/%Y %H:%M:%S") | stats avg(duration) as AverageRuntime values(earliest) AS _time values(Runtime) AS Runtime by JOBNAME | stats earliest(_time) AS earliest latest(_time) AS latest values(MSGNUM) AS MSGNUM count BY JOBID JOBNAMEįull search: index=process_log (MSGNUM="START-PROCESS") AND JOBID="JOB*" Second Search: index=process_log (MSGNUM="START-PROCESS" OR MSGNUM="END-PROCESS") AND JOBID="JOB*" earliest=-1w latest=now() | stats earliest(_time) AS _time values(MSGNUM) AS MSGNUM count BY JOBID JOBNAME In addition, transaction and join aren't performant commands, so it's better to replace with stats command, somethimes like this:įirst Search: index=process_log (MSGNUM="START-PROCESS") AND JOBID="JOB*" I not sure why no values are coming for AverageRuntimeĪt first you have to check how many results you have in the second query because there's a limit of 50,000 results in subqueries, so maybe this is the problem. No values are coming for AverageRuntime, Runtime is getting displayed as per JOBNAME. | stats avg(duration) as AverageRuntime by JOBNAME] | join type=left max=0 JOBNAME [ search index=process_log START-PROCESS OR END-PROCESS earliest=-1w latest=now() Join Query based on JOBNAME index=process_log (MSGNUM="START-PROCESS" OR MSGNUM="END-PROCESS") AND JOBID="JOB*" | eval AverageRuntime = round(AverageRuntime,2) | stats avg(duration) as AverageRuntime by JOBNAME | transaction JOBID JOBNAME keepevicted=1 startswith=START-PROCESS endswith=END-PROCESS Second Query :- Getting the average runtime of all the active processes from now to past one week index=process_log (MSGNUM="START-PROCESS" OR MSGNUM="END-PROCESS") AND JOBID="JOB*" earliest=-1w latest=now() | transaction JOBID JOBNAME keepevicted=1 keeporphans=1 I have two search queries which are working as expected but when I trying to join both these queries it not giving the expected results.įirst Query :- Getting the current runtime of all the active processes index=process_log (MSGNUM="START-PROCESS") AND JOBID="JOB*"
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |