https://www.ibm.com/docs/en/qsip/7.5?topic=cwfads-sample-event-log-source-storage-usage-aql-statements#reference_fsw_c3k_pbb__unparsed_events_percentage
QMLA Display No. of Alerts per Log Source
SELECT DATEFORMAT(starttime,'yyyy-MM-dd') as "Date", "QMLA_Monitor - Log Source Name", sum(eventcount) from events WHERE qid = 2000307 GROUP BY starttime / (1000*86400),"QMLA_Monitor - Log Source Name" HAVING sum(eventcount) > 1 ORDER BY Date DESC last 7 DAYS
Log Sources Sent <= 10 Events in 1 Day
SELECT DOMAINNAME(domainid) AS 'Domain', logsourcename(logSourceId) AS 'Log Source',
LOGSOURCETYPENAME(devicetype) AS "LogSourceType", LONG(SUM(eventcount)) AS CountEvents from events
where "LogSourceType" NOT IN
('WinCollect','Asset Profiler', 'Anomaly Detection Engine', 'Custom Rule Engine', 'SIM Generic Log DSM', 'System Notification', 'SIM Audit', 'Health Mertrics')
GROUP BY logSourceId HAVING CountEvents <= 10 last 24 hours
Show EPS per QID and Total event count
select QIDNAME(QID) AS 'Event Name',DOMAINNAME(domainid) AS 'Domain',QID as 'QID',
CATEGORYNAME(highlevelcategory) AS 'High Level Category',CATEGORYNAME(Category) AS 'Category',
LONG(SUM(eventcount)) / 3600 AS 'EPS', long(sum(eventcount)) as 'Event Count'
from events
GROUP BY "Event Name" ORDER BY "EPS" DESC limit 100 LAST 1 HOURS
Disk Usage by Domain
SELECT "Tenant" as 'Domain', "Element" AS 'Disk Name',
CONCAT(MAX("Value"*100), '%' ) AS 'Value' from events where
( ( "Element"='/store' AND "Metric ID"='DiskUsage' ) AND "deviceType"='368' )
GROUP BY "domainId" order by "Value" desc LIMIT 988 last 15 minutes
Log source time and storage time difference
SELECT DOMAINNAME(domainid) as "DomainName" ,logsourcename(logSourceId) as "LogSource", long(sum(eventcount)) as "COUNT", DATEFORMAT(starttime,'dd-MM-yyyy HH:mm') AS "Start Time", DATEFORMAT(devicetime,'dd-MM-yyyy HH:mm') AS "Device Time" FROM EVENTS WHERE (((((starttime - devicetime)/60000.0 >= 200) or ((devicetime - starttime)/60000.0 >= 200)) AND DOMAINNAME(domainid) <> 'Default Domain') AND LogSource IS NOT NULL) GROUP BY "LogSource" ORDER BY "COUNT" DESC LAST 5 MINUTES
Show Log Sources Health
SELECT LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
DATEFORMAT(starttime,'yyyy-MM-dd HH:mm:ss') AS "Start Time",
LONG(UNIQUECOUNT(qid)) AS "Unique QIDs",
LONG(COUNT(*)) as "Total Events",
count(isunparsed) AS "Unparsed Count",
LONG("Total Events"-"Unparsed Count") AS "Parsed Count",
LONG("Unparsed Count"*100) / "Total Events" AS "Percent Unparsed",
LONG("Parsed Count"*100) / "Total Events" AS "Percent Parsed"
FROM EVENTS where "LogSourceType" NOT IN ('WinCollect', 'Asset Profiler', 'Anomaly Detection Engine', 'Custom Rule Engine', 'SIM Generic Log DSM', 'System Notification', 'SIM Audit', 'Health Mertrics')
GROUP BY "LogSourceType"
LAST 1 HOURS
EPS Report grouped by date – NOT RAW
SELECT DOMAINNAME(domainid) AS 'Domain', DATEFORMAT(starttime,'yyyy-MM-dd HH:mm') as date, LONG(AVG("Value")) as AVG_EPS, LONG(MAX(Value)) as MAX_EPS
FROM events
WHERE devicetype=368 AND "Metric ID"='EventRate'
GROUP BY date
HAVING AVG_EPS>0
ORDER BY date DESC
LAST 2 DAYS
EPS Grouped by date per minute intervals – RAW
SELECT DOMAINNAME(domainid) AS 'Domain',
DOUBLE(LONG(SUM(eventcount)/60)) AS 'EPS',
DATEFORMAT(starttime,'yyyy-MM-dd HH:mm') as 'Date'
FROM events logSourceId != '69'
GROUP BY Date
ORDER BY Date desc LAST 1 MINUTES
Like this:
Like Loading...
