Returns TRUE when an IP address,, belongs to a particular CIDR subnet. Returns the first value for which the condition evaluates to TRUE. Use the links in the table to learn more about each function and to see examples.Īccepts alternating conditions and values. This table provides a brief description for each function. The following table is a quick reference of the supported evaluation functions, organized by category. There are two ways that you can see information about the supported evaluation functions: | eval error=case(status = 200, "OK", status = 404, "Not found", true(), "Other") The following example shows how to use the true() function to provide a default to the case function. In the following example, the cidrmatch function is used as the first argument in the if function. You can specify a function as an argument to another function. If you want to append the literal string server at the end of the name, you would use dot notation like this in your search: name."server". For example, you have a field called name that contains the names of your servers. In other words, when the function syntax specifies a string you can specify any expression that results in a string. Literal strings must be enclosed in double quotation marks. All functions that accept numbers can accept literal numbers or any numeric field.įor most evaluation functions, when a string argument is expected, you can specify either a literal string or a field name.All functions that accept strings can accept literal strings or any field.You can use evaluation functions with the eval, fieldformat, and where commands, and as part of eval expressions with other commands. Section for a quick reference list of the evaluation functions. Eventually, I would put them all on the same graph, so that I have a line graph where each line represents a carrier, the x-axis is time and the y-axis is error value.Use the evaluation functions to evaluate an expression, based on your events, and return a result. I want to see a graph of the errors for carrier 1 over time. So as events like this come in, the error for carrier 1 will fluctuate. My ultimate goal is to have a graph of errors by carrier, which means that the carrier and error need to be related across events. Now that I am trying the next step (graphing it), I have a feeling that this might have been the wrong route. It correctly splits out the carriers and errors into multiple values. I can see the correct values (and multiple values) when I view the events. This was too long to put in the comments, so am posting it here: My end result would then be a graph with all the carriers showing the error values over time. How do I get both the fields 'carrier' and 'error' to be multi-value and then get it to pick up all the values? I think I just do a repeat of this once they are multi-value fields? (?\d+)\ Since this is two variables with multiple values in one event, I think I need to use a multi-value field. This lines above come as one event and I am trying to extract the index and the error. I have a log file with a bunch of entries like this: : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20Īs it states at the very beginning, the first number is the carrier-index and the number in brackets is the error.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |