Versions Compared

Old Version 3

changes.mady.by.user Omry Koschitzky

Saved on

compared with

New Version Current

changes.mady.by.user Omry Koschitzky

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Synopsis

Executes an expression on the resulting search eventsa custom complex computation on search query results.

Syntax

execute [expression] (as column1result1, column2result2)

Required Arguments

expression

Syntax: mathematical expression

Description: Performs on the search results, a mathematical expression on that the user formulates using the execute search resultssyntax.

Optional Arguments

column1result1, column2, ..., columnnresult2

Syntax: <search string>.

Description: If the results that the executed expression returns are expected to go into more than one column, the names of the columns preceded by as must be placed in parentheses following the expression. 

Description

Executes an expression on each event in the search query, an expression. If the returned results go into more than one column, they are entered under the columns whose names appear in parentheses after the expression.

...

* in log.access |  execute if (total == NULL) THEN (total = 0); if (column.bytes\ sent != NULL && column.bytes\ sent != "-") THEN (total = total + column.bytes\ sent);total | group by status | order by value desc 

Computes the total of the bytes sent column of the events in log access per status, and displays the total of each status in descending order of the total value. 


Example 2: 

* in log.application_log  | count, sum col_name| interval 1 hour | execute result = column.count * 100 / column.sum ; result | interval 1 hour

Computes the sum of a value in the field col_name in an hourly basis, and computes the percentage of that value out of the total number of events during that time.


Example 3:

* in log.iis log | avg time-taken | group by cs-uristem | execute if (count1 == NULL) THEN (count1 = 0);if (count2 == NULL) THEN (count2 = 0);if (count3 == NULL) THEN (count3 = 0);timetaken = column.avg; if (timetaken > 100 && timetaken < 300) THEN (count1 = count1 + 1);if (timetaken >= 300 && timetaken < 400) THEN (count2 = count2 + 1);if (timetaken >= 400 && timetaken < 500) THEN (count3 = count3 + 1);map = mapput(map,"100",count1);map = mapput(map,"300",count2);map = mapput(map,"400",count3);map as type,value | order by type

Computes the different type of URLs that their average time took between 100-300, 300-400 and 400-500 milliseconds based on the time-taken log field.


Example 4:

* in log.process | avg memory | interval 10 minutes | execute MB = column.Avg; if (result == NULL) then (result=""); diff=0; if (previous != NULL && (MB - previous) > 100) then (diff = MB - previous); key=""; if (diff > 0) then (key = previousTime + ";" + column.time + ";" + format(previous) + ";" + format(MB)); if (diff > 0) then (result = mapput(result, key, format(diff))); previous = MB; previousTime= column.time; result as Start of Time Slot, End of Time Slot , Min Memory, Max Memory, Memory Difference

Computes the difference of an average value in more than 100 units in a 10 minutes time slot - for example increase of more than 100 MB in memory in less than 10 minutes based on performance log.


Example 5:

* in log.LOG_NAME | execute if (total == NULL) then (total = 0); if (count == NULL) then (count = 0);if (column.COLUMN_NAME == COLUMN_VALUE) then (count = count + 1); total = total + 1;(count/total)*100

 Computes the percentages of the value COLUMN_VALUE in the log column COLUMN_NAME out of all events in the log LOG_NAME

 

  • Same query with 10% (for example) threshold for monitoring. I.E. if the value COLUMN_VALUE in the log column COLUMN_NAME out of all events in the log LOG_NAME is greater than 10% it will return a result:
* in log.LOG_NAME | execute if (total == NULL) then (total = 0); if (count == NULL) then (count = 0);if (column.COLUMN_NAME == COLUMN_VALUE) then (count = count + 1); total = total + 1;(count/total)*100 | where value > 10