Also read about Statistical and Charting functions available for these (. Read about transforming commands like stats ( ) and timechart ( ) etc. Since you do not have epoch time in your query you can not run the time chart command. PS: Timechart uses epoch time as x-axis time field. | stats last(totaltime) as totaltime last(duration) as duration by source Do you really need serv field? Do you need to get latest values of totaltome and duration by every source? If this is what you want then following should be your query: Please clarify.Ä£) You have extracted serv but using source in your table. Based on your current data and one of your previous command it should be | rex "^(?+):\s+\+)\)\)\s+(?\d+)K-\>(?\d+)K\((?\d+)K\),\s+(?+)\ssecs\]"Ä¢) You have mentioned serv field but from your example it is not clear as to what is the regular expression for servfield and what is its regular expression. Would like to show trend line graph based on the values of "totaltime" in x-axis and "duration" in y-axis for each "serv". If you have more questions on this, I'll be happy to reply.| timechart or chart would like to populate totaltime in x-axis and duration in y-axis for each serv Set each of these to the ratios value for each column in your graph, with only one being the ratio, and the rest being zero. You would have a value for each of the models in your data. You will probably not want to do the same stats command that I use, and use something else (perhaps timechart or something else). You can set the seriesColors as you would like for your graph, which would replace the green, yellow and red colors that I have in mine. | search service=*-BP6 | rex field=monitoringmsg " - (?P\w+)" | eval okstate=if(state="OK",1,0) | eval wstate=if(state="Warning",1,0) | eval cstate=if(state="Critical",1,0) | stats last(okstate) as OK, last(wstate) as WARN, last(cstate) as CRIT by service Sourcetype=tomcat | fields search service=*-ON1 | rex field=monitoringmsg " - (?P\w+)" | eval okstate=if(state="OK",1,0) | eval wstate=if(state="Warning",1,0) | eval cstate=if(state="Critical",1,0) | stats last(okstate) as OK, last(wstate) as WARN, last(cstate) as CRIT by serviceHere is some of the code that I use (XML) that does this: Tomcat status The stacked column chart will then show only one of the colors for each of the columns, which I think is what you want to display. In your case, you can have a model value for each column that you want in your graph, and only one of the models will use the ratio value, and the others will be zero. I have two charts in the XML code below, and they are dependent on the same data, so I am using the same search to GET the data, and then doing the search for each chart off that same data. Using a stacked column chart, only one of the colors will show. If the state is critical, then the red value is 1 and the green and yellow values are 0. If you use an eval expression, the split-by clause is required. You can specify a column split-by field, where each distinct value of the split-by field becomes a series in the chart. If the state is OK, then the green value for the column is 1, and the yellow and red are 0. A timechart is a statistical aggregation applied to a field to produce a chart, with time used as the X-axis. This is made visible by setting the values for the graph to have a value for each color depending on the state. It needs to show green, yellow or red depending on the state of the process on the host. I have a dashboard that needs to show the state of a tomcat service on a set of hosts. I have a similar problem, and the solution I use is a simple one that may also work for you.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |