How to add a condition to filter out count greater than some value in Timelion?

elasticheart · May 18, 2017, 8:39am

Hi,

I am using ELK GA 5.0.0 and I have the below timelion code;

.es(index=mylogs-*, q='response:error',metric=count,split=username:10).divide(.es(index=mylogs-*, q='response:success',metric=count).if("eq", 0, .es(index=mylogs-*, q='response:error',metric=count).multiply(-1))).label("Ratio").lines(show=true,width=2).points(show=true,radius=4,fill=9,weight=0)

My log contain time, user, and response. Response can be either error or success. The code above will display error to success ratio for 10 users. It also handles division by zero. What I want is, I want to include the user only if the count of error for that user is greater than 100. It will be helpful if someone help me to achieve this.

Thanks in advance..

Nico-DF · May 18, 2017, 9:05am

You can modify your query I think. If response is a number and represents time in ms, you can do:

q='response:error AND response:>=10000'

And the same for success. Not sure about the actual result, but that might be what you want

elasticheart · May 18, 2017, 9:51am

Hi @Nico-DF , will this compare to the count of error responses per user?

Nico-DF · May 18, 2017, 9:57am

Forget my previous message, it is absolutly not related to your problem ineed. Was just tired.

Anyway for your problem, it might be a bit clunky, but, in the same way you use a if in your division, can't you use one on error count? If inferior to 100 then 0 (or null maybe) else, the actual result?

elasticheart · May 19, 2017, 4:34am

Hi @Nico-DF thanks for your help.

Could you kindly show me how to do that if else check in my code? I am a beginner and learning these kinds of stuffs, and dont have much idea how to accomplish this

Nico-DF · May 19, 2017, 7:10am

Well the same way you've already used it in your code:

That means, if the result of your request is equals to 0, then the value will be .es(...)

Then, for your case, you want something like:

.es(index=mylogs-*, q='response:error',metric=count,split=username:10).if("lt", 100, null)

But I think it will take the 10 first user, and then if the condition is not satisfied, it will be null (or try 0). That means that like this, I'm not sure you will still have 10 users to display. You can try it.

For further info about conditionals in timelion:

system · June 16, 2017, 7:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.