![]() ![]() | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), "string", null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | eval actor=ucast(map_get(input_event,"actor"), "map", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), "string", null) ![]() | eval process=ucast(map_get(input_event,"process"), "map", null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", null) I think that would work if it does not cause another problem.| eval timestamp = ucast(map_get(input_event,"time"),"long", null) I also thought of appending each unique search instead of using case. That may involve time buckets and have not looked into that. I have thought of counting the number of events in the time span that match each Type and setting the site_up=1 if it is zero. I need to use the Type on the eval to do it correctly and I think that is the problem. ![]() If I remove the AND Type="" from one of the evals the fillnull will fix that one. | timechart Max(site1_up) as Site1 Max(site2_up) as Site2 I am looking at multiple things and charting more than one value using a case statement with the eval based on the case.Ĭs_host="" AND like(SOAPAction,"%release%"), "Release",Ĭs_host="" AND like(SOAPAction,"%verify%"), "Verify", I checked the fillnull again and It does work using the basic format. I am trying to make a chart of the up(1)/down(0) status of various components, some of which are determined by the IIS logs. |eval Site3_up =1 if there are no events matching cs_host=C |eval Site3_up =0 if cs_host=C AND cs_User_Agent=Mozilla and no cs_uri_stem=check.asmx |eval Site3_up =1 if cs_host=C AND cs_User_Agent=Mozilla and at least one cs_uri_stem=check.asmx |eval Site2_up =1 if there are no events matching cs_host=B |eval Site2_up =0 if cs_host=B and at no cs_method=POST |eval Site2_up =1 if cs_host=B and at least one cs_method=POST |eval Site1_up=1 if there are no events matching cs_host=A |eval Site1_up=0 if cs_host=A and at no sc_status=200 |eval Site1_up=1 if cs_host=A and at least one sc_status=200 The reasoning for the up/down status is not important since this is simply an example. I have also tried | append without success, but don't completely know how that would work. It should also only use fillnull (or similar) if no events are in that 10 second span. Putting this before the eval does not work since I believe nothing is done without an event. I want a 1 charted if there are no events in that 10s span.Īdding | fillnull value=200 sc_status after the timechart simply shows an extra column of sc_status at 200 in every span (column in the chart). If there are no matching events it is probably not even looked at and returns nothing and the chart looks like a 0. It charts a 0 if there were responses, but none were 200. This charts a 1 if there was at least one 200 response from in the 10s span. It works, except for when no events happen. I want the eval it to return a 1 when there are no events in that span. The eval is likely not even called if there are no events in the timechart span I am looking at. I want a fillnull (or similar) to happen before an eval. As I write this I realize that what I want is likely not possible using this method. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |