I have this query
index=nitro_prod earliest=-30d ESK** (job_class=* OR NOT job_class=*) compl_code=* | fields app_id job_name job_no appl_gen appl_sys job_qual job_start_datetime job_end_datetime run_time_in_minutes cpu_min cpu_sec actual_s_units job_class compl_code run_time_in_minutes total_cpu_time_in_minutes input_qt_min | eval age_hr=(now()-_time)/60/60 | eval Last24=if(age_hr<=24,"Yes","No") |eval Last48=if(age_hr<=48,"Yes","No") | eval LastWeek=if(age_hr<=168,"Yes","No") | eval LastMonth=if(age_hr<=720,"Yes","No")|eval 24hr=if(Last24="Yes",run_time_in_minutes,NULL) | eval 48hr=if(Last48="Yes",run_time_in_minutes,NULL) | eval week=if(LastWeek="Yes",run_time_in_minutes,NULL) | eval month=if(LastMonth="Yes",run_time_in_minutes,NULL)| stats sparkline(avg(run_time_in_minutes),24h) as "Trending Daily Average" avg(24hr) as "Day" avg(48hr) as "TwoDay" avg(week) as "Week" avg(month) as "Month" by job_name | eval ratio = Day/Month | where ratio > 3 | stats count
I want to limit this to only look at run times over 1 minute
Any ideas?
↧