Getting timeslice per hour but grouping by machine ID

Question

_sourceCategory=myService
| json field=_raw "log.Log" as log_message
| json field=_raw "log.Barcode" as log_Barcode
| json field=_raw "log.MachineId" as machine_id
| where log_message contains "successfully sorted"
| count by machine_id

This query will give me the successful count per machine ID.

What I want is to get all the messages in the last 24 hours and get the average success rate per hour.

so instead of having

Machine ID	Success Rate Count	TIME
123445	2400	24H

I get something like

Machine ID	Success Rate Count per Hour	TIME
123445	100	24H

score 0 · Answer 1 · answered Dec 08 '21 at 04:42

You'd have to tag the successes versus failures before applying a timeslice using an if statement. Then apply the timeslice and aggregate on the fields and calcuate the ratio. Something like:

_sourceCategory=myService
| json field=_raw "log.Log" as log_message
| json field=_raw "log.Barcode" as log_Barcode
| json field=_raw "log.MachineId" as machine_id
| if (log_message matches "*successfully sorted*", 1, 0) as success
| timeslice 1h
| count as total_records, sum(success) as successes by _timeslice
| successes / total_records * 100 as success_rate_pct

This query will give me a % amount of success rate per total messages. What I need is the success rate average per hour. So if you succeeded 80 times in 8 hours the success rate per hour would be 10 — Lostaunaum, Dec 09 '21 at 15:04

Getting timeslice per hour but grouping by machine ID

1 Answers1