I'm having a issue with a query that I can't figure out. For some reason the second part of my query is always the same as the first part of my query.
When I make two simple metrics to show the sum of in_bytes with the above queries I do get the correct numbers so it's not a data problem. When I switch src_addr and dst_addr the results are also reversed (two lines showing the exact same data based on dst_addr instead of src_addr).
Looks like somehow the results from the first part of the query are copied to the second.
The reason seems to be that all assignments to the variable $q are evaluated before the other parts of the expression are evaluated. This means that the second assignment to $q (containing the netflow.ipv4_dst_addr filter) is also what is used in the first .es() clause. Introducing a second variable instead of reassigning should solve the issues, i.e.:
$src_query='vessel_name:Vessel_1 AND **netflow.ipv4_src_addr**:1.2.3.4', $dst_query='vessel_name:Vessel_1 AND **netflow.ipv4_dst_addr**:1.2.3.4', .es($src_query,metric='sum:netflow.in_bytes').mvavg(3m).scale_interval(1s).divide(1024).label('Up - KBps'), .es($dst_query,metric='sum:netflow.in_bytes').mvavg(3m).scale_interval(1s).divide(1024).label('Down - KBps')
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
You were using variables in your original query already (
