I want to run a report each hour, this report returns a single row. I want to create a separate csv file for each day, which will have 24 rows. The index is tracking iis logs, and basically the query below is calculating the percentage of total downloads taken up by a specific type of swf file (filtered by "a_action").
Originally I was trying to use the "TIME" variable in the subsearch, but I realised the subsearch was being ran first so the TIME variable didn't exist, so I changed it to another relative time. I am using relative times as the query is ran at the end of the hour, and analyses the data for the hour before, so I want the time value for the query to be the hour before it is ran. Even if I just use a "now()" call, the query still fails.
Some field values have been anonymised, where this is the case I've used the asterisk sign and capital letters.
index=iis a_app=*APP* | eventstats sum(sc_bytes) as TOTAL_BYTES | where like(a_action, "*APP*.swf")
| eventstats sum(sc_bytes) as SWF_BYTES | eval PERCENTAGE = SWF_BYTES/TOTAL_BYTES*100 | eval TIME=relative_time(now(),"-60m")
| stats values(TIME) as DATE_TIME, values(TOTAL_BYTES) as TOTAL_BYTES, values(SWF_BYTES) as SWF_BYTES, values(PERCENTAGE) as PERCENTAGE
| outputcsv append=true
[ | stats count | eval FILENAME=strftime(relative_time(now(),"-60m"),"swf_download_%d_%m_%Y") | fields FILENAME ]
So basically everything before the outputcsv function works, the subsearch in the outputcsv function should return a string such as "swf_download_14_01_2016", however the search fails, and I get the following errors:
Error in 'outputcsv' command: Invalid argument: '('
The search job has failed due to an error. You may be able view the job in the Job Inspector.
When I run the subsearch on its own it does return the correct string "swf_download_14_01_2016", so I am confused as to why this string is not returning and being used as the csv filename.
Thanks.
↧