2

I want to show a graph of minimum value, maximum value and difference between maximum and minimum for each timeslice. It works ok for min and max

| parse "FromPosition *)" as FromPosition
| timeslice 2h  
|  max(FromPosition) ,min(FromPosition)  group by _timeslice

but I couldn't find the correct way to specify the difference. e.g.

| (max(FromPosition)- min(FromPosition))  as diffFromPosition  by _timeslice

returns error -Unexpected token 'b' found.

I've tried a few different combinations to declare them on different lines as suggested on https://help.sumologic.com/05Search/Search-Query-Language/aaGroup. e.g.

| int(FromPosition) as intFromPosition
| max(intFromPosition) as  maxFromPosition , min(intFromPosition) as minFromPosition 
| (maxFromPosition - minFromPosition) as diffFromPosition
| diffFromPosition by _timeslice

without success.

Can anyone suggest the correct syntax?

Michael Freidgeim
  • 26,542
  • 16
  • 152
  • 170

1 Answers1

2

Try this:

| parse "FromPosition *)" as FromPosition
| timeslice 2h  
| max(FromPosition), min(FromPosition) by _timeslice 
| _max - _min as diffFromPosition
| fields _timeslice, diffFromPosition

the group by is for the min and max functions to know what range to work with, not the group by for the overall search query. That's why you were getting the syntax errors and one reason I prefer to just use by as above.

For these kinds of queries I usually prefer a box plot where you would just do:

| min(FromPosition), pct(FromPosition, 25), pct(FromPosition, 50), pct(FromPosition, 75), max(FromPosition) by _timeslice

Then selecting box plot as the graph type. Looks great on a dashboard and provides a lot of detailed information about deviation and such at a glance.

Matthew Purdon
  • 754
  • 11
  • 28