Hey guys, I'm using Kibana version: 6.4.3
I have a query to find the top N functions that generated error logs which been hit most today and compare it with yesterday, here is an example:
The grey line is top N functions of today, and the other lines are the functions which have error logs newly generated today that we need to pay attention. In use we will choose the time range as last 1d.
Here is the query content, I simply used split and if to complete this query, I'm not sure if it's the right approach:
// cLogLevel:1 means findout the error log, level 1 means error.
// dwUserDef1 means line number, need to filter out reports containing line numbers
// sUserDef2 means function name.
// first line draws top N functions today
.es(q='cLogLevel:1 AND dwUserDef1:>0', split=sUserDef2:10).label().color("#c6c6c6"),
// second line draws with comparison
.es(q='cLogLevel:1 AND dwUserDef1:>0', split=sUserDef2:10).if(operator=gt,
if=.es(offset=-1d, q='cLogLevel:1 AND dwUserDef1:>0', split=sUserDef2:10),
then=.es(q='cLogLevel:1 AND dwUserDef1:>0', split=sUserDef2:10)).label("[$1]", regex="^.* > sUserDef2:([\S:\(\)_ ]+) > .*").lines(fill=5, steps=0),
Now the problem is: If there is no error log during the statistical period, using split will report an error:
I want to draw all the data today when there is no data yesterday, since all the data today can be considerd newly generated, and draw null on the no data part.
I have tried adding a new if condition to draw only if the total value greater than 0, but I still get this error, it seems like I can not skip the calculation even if the condition not met.
.es(offset=-1d, q='data today').if(operator=gt,
if=0,
then=.es(q='the query above'),
else=null)
Is there any way to solve this problem?