Let's break down the search piece by piece:
Search fragment |
Description |
index=main sourcetype=log4j perfType="DB" |
In this example, we are searching for our application logs, which have the log4j source type. We also select to view only the events related to databases (DB). |
| eval threshold=con_total/100 *70 |
Using the eval command, we calculate a new field called threshold, which is 70% of the total connections permitted. |
| where con_used>=threshold |
Using the where command, we search for only events that are greater than or equal to the 70% threshold we just defined. |
| timechart span=4h count(con_used) AS CountOverThreshold |
Finally, we count the number of times over a 4 hour period in which the connection ... |