In my current run, if two estops / jams are active at the same time, it will count count every minute they are both in alarm as 2 minutes for the "MinutesInAlarm" field. I need them to count as 1 real minute, no matter how many are active in that field at that time
This is my current search:
index=4_ip_sql source=CNVIP101 Priority=4 Quality=192 date_hour>=11 date_hour<24 (Message="*jam*" OR Message="*stop*")
| eval AlarmType=if(like(Message,"%Jam%"),"Jam","E-Stop")
| dedup EventID
| eval PLC=mvindex(split(SourceName," "),0)
| transaction SourceName startswith="Active=1" endswith="Active=0" maxevents=2
| stats count as Alarms, sum(eval(duration/60)) as MinutesInAlarm by PLC AlarmType
| eval MinutesInAlarm=round(MinutesInAlarm)
| sort PLC
Thanks!
↧