Hi,
I currently have a query that returns the a chart of API's whose calls average over a specific time limit (unique per API). I would then like to be able to display the count of calls over X seconds time_taken ONLY if that API had an average time_taken over X seconds.
Would I be correct in thinking that I should make my first search a sub search and then search on that to find the counts of timed out APIs?
Here is my current search for the APIs with average time_taken over a limit.
index=mykplan_main cs_uri_stem="AAA" OR cs_uri_stem="BBB"
| eval URI=cs_uri_stem
| eval URI = lower(URI)
| stats avg(eval(time_taken*.001)) as avg_duration by URI
| eval avg_duration=round(avg_duration,2)
| eval alert=if((avg_duration > 3 AND URI="AAA") OR (avg_duration > 1 AND URI="BBB") ,"alert", "ignore")
| where alert="alert"
| fields - alert
↧