![]() After testing, I notice that the above search gives me the output from the last hour that is different than the output for the same hour a week ago. I tried it without the NOT in the second search and without the "where Today != LastWeek" but the output is not what it should be. | timechart count by Today limit=20 useother=false | timechart count AS Today by field2 limit=20 useother=false | union [search NOT index=myindex sourcetype=mysourcetype field=myfield1 http_status="500" field2!="what_i_dont_want" latest=now I was able to create a line chart off of the final timechart which only outputted the servers that were different from the same time period last week. Using union as a multisearch and comparing the output of the two searches seemed to have worked best for my needs. I plan on visualizing the chart as a linechart and am not sure if there is a way to show a linechart that contains only differences (If the values are the same as last week, dont show). Im not sure if the following would work at getting what I want to see but looking through some other answers similar to what I want, I believe this should work but I do not receive any output in the statistics tab for some reason: index=myindex sourcetype=mysourcetype field1=myfield1 http_status="500" field2!="what_i_dont_want" latest=now | timechart count AS TodayLastHour by field2 limit=20 useother=false | appendcols | where TodayLastHour != LastWeekLastHour | timechart count by TodayLastHour limit=20 useother=false The main search that I am working with is as follows: index=myindex sourcetype=mysourcetype field1=myfield1 http_status="500" field2!="what_i_dont_want" | timechart count by field2 limit=20 useother=false | sort -count The final result that I am looking for is a timechart with the hits of the status code of 500 only if the past hour's output is different than the same hour of last week. I believe that using stdev is the way to go but am unable to figure out exactly how to place it to get it to work (append/join the searches together then test or if it can be done in one search). I want to display the value of the past hour only if it differs from the value of the same hour of last week. ![]() ![]() I have two timecharts that only hit on http status code of 500 (one for the past hour and one for the same hour but last week). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |