Hi,
Looking at Linux syslog data, I am trying to summarize the core dumps we see into a table like:
binary,total,count_per_server
/bin/ary1,5,server1(3) server2(2)
/bin/ary2,3,server1(2) server5(1)
I came up with the below:
index=linux_general* abrt "Saved core dump" | rex "Saved core dump of pid \d+ \((?[^)]+)\)" | stats count as count_binary by binary | sort + binary_count| join binary max=0 [search index=linux_general* abrt "Saved core dump" | rex "Saved core dump of pid \d+ \((?[^)]+)\)" | stats count(binary) as count_binary_host by binary, host ] | sort - count_binary, -count_binary_host, host | eval pair=host + " (" + count_binary_host + ")" | stats list(pair) by binary, count_binary
That seems to work but for some reason it won't sort it as I wish. I tried moving the sort statement to other places but no luck, it seems to ignore it.
Any idea why, and how to make it sort?
Also any idea of an alternative better approach to avoid running the same query twice? (not a huge issue in this case given the small dataset, but still...)
Thanks,
Thibault.
↧