I have a great search that someone here helped me with the other day. It will take all the peak numbers in a search and add them. This works great, but now I need to filter out numbers lower than 4. My current search looks like this and works.
| table _time, idle
| rename idle as "Idle Time" | eval sno=if('Idle Time'=0,1,0)
| accum sno | eventstats max("Idle Time") as max by sno
| where 'Idle Time'=max | table _time "Idle Time"
| stats sum("Idle Time") as "Idle Time"
So if my numbers look like:
0,1,2,3,0,0,1,2,3,4,5,0,1,2,3,4,5
I would get a total of 13 because it adds the peaks of 3+5+5. User don't want to see peaks under 4. I thought I could just add a |where idle < 4 at the beginning of the search, but that does not give the correct number. In my example I would expect to see 10 because 3 would be thrown out.
↧