I have a search where I am trying to take the totals and turn them into a percentage.
sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT | rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$" | rex field=source "^/opt/log/(?<registry>[^/]+)/web_server/.*$" | search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf | eval Actual=case(filename=="Statement.pdf","Billing Statement",filename=="Invoice.pdf","Billing Invoice", filename=="text.txt","Billing Text",match(filename,".*-.*\.pdf$"),"Scorecard",match(filename,".*-.*_invoice\.html$"),"Drilldown Invoice") | contingency registrar Actual
I've looked at other commands such as eventtable, stats and even top but I can't seem to get the values to show a percentage instead of a count.
Can you make the numbers from contingency into percent? Is that possible using this command? It seems every time I try to pipe my results to something else the "Actual" field doesn't work and the percentage doesn't show up...
Have you instead of
contingency tried to use;
... | top Actual by registrar
with the optional removal of the count field
... | top Actual by registrar | fields - count
It sounds like to me that this is what you are trying to achieve
Hope this helps,
Well, if you want to you could always post a few sample lines of log (with IPs/usernames/passwords masked) along with a table describing the desired output.
That will enable the community to help you further along.
Otherwise, best of luck.
I like the way contingency breaks it down...but I need to have a percentage instead of just a count. So far every command I used I haven't been successful to keep the same format of all the file names listed at the top, registrars on the left, and then the values of how many times each registrar accessed the file.
It's strange but it does not break it down the way I want unless I use contingency. Contingency takes all the values of Actual and lists how many times they were accessed. They are basically filenames. It does a great job of doing this. However if I use a different command the format isn't the same at all.