Right now this is displaying what I want but how can I return a row for each hour of the day when my alert is scheduled?
index=records "ProcessRec: Total Recd"
| eval fields=split(_raw,"|")
| eval Machine=mvindex(fields,4)
| stats count(eval(Machine="SERVER1")) AS "SERVER1" count(eval(Machine="SERVER2")) AS "SERVER2"
| addtotals
| foreach "SERVER1", "SERVER2"
[| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)]
UPDATE:
index=records "ProcessRec: Total Recd"
| eval fields=split(_raw,"|")
| eval Machine=mvindex(fields,4)
| timechart span=1h count by Machine
| addcoltotals labelfield="_time"
| addtotals
| appendpipe [|tail 1
|foreach SERVER* [| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)]]
| selfjoin _time keepsingle=1
| reverse
As Alerting, send email with Include Inline
UPDATE:
index=records "ProcessRec: Total Recd"
| eval fields=split(_raw,"|")
| eval Machine=mvindex(fields,4)
| timechart span=1h count by Machine
| addcoltotals labelfield="_time"
| addtotals
| appendpipe [|tail 1
|foreach SERVER* [| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)]]
| selfjoin _time keepsingle=1
| reverse
As Alerting, send email with Include Inline
Awesome that worked, but how do I keep my percentage count and total count? Need to know what percentage and total count the server is processing. This alert is sent to management they don't want to add.
I see, check my answer.
Awesome i was able to get it to work only fix was changing |tail = 25
. Might play around with it after i get a full 24h. Thank you so much for your help and suggestions.