How do i percentage for PROCESSED and STARTED on b...

vkari · ‎01-26-2019

index=ciaudit eventname=*
| spath "EventStreamData.response.verificationStatus"
| search "EventStreamData.response.verificationStatus"=PROCESSED OR "EventStreamData.response.verificationStatus"=STARTED
| rename "EventStreamData.response.verificationStatus" as verificationStatus
| stats count by verificationStatus

I got the results like below in a tale formate....! but i need do add percentage for count results ...?

verificationStatus count
PROCESSED 2
STARTED 187

Stated /processed *100

renjith_nair · ‎01-26-2019

@vkari,

You might need to interchange the numerator and denominator to find the % of processed vs started.

Try,

index=ciaudit eventname=*
| spath "EventStreamData.response.verificationStatus"
| search "EventStreamData.response.verificationStatus"=PROCESSED OR "EventStreamData.response.verificationStatus"=STARTED
| rename "EventStreamData.response.verificationStatus" as verificationStatus
| stats count by verificationStatus
| transpose header_field=verificationStatus column_name=perc |eval perc=round((PROCESSED/STARTED)*100,2)

Or if you want to keep the existing format,

index=ciaudit eventname=*
| spath "EventStreamData.response.verificationStatus"
| search "EventStreamData.response.verificationStatus"=PROCESSED OR "EventStreamData.response.verificationStatus"=STARTED
| rename "EventStreamData.response.verificationStatus" as verificationStatus
| stats count by verificationStatus
| eventstats values(eval(if(verificationStatus=="PROCESSED",count,null()))) as _PROCESSED,values(eval(if(verificationStatus=="STARTED",count,null()))) as _STARTED
| eval perc=round((_PROCESSED/_STARTED)*100 ,2)

---
What goes around comes around. If it helps, hit it with Karma 🙂

vkari · ‎01-26-2019

Fist query not help to me second time you gave me and fist one its working fine

i need one more help !
index=audit eventName=501 |“EventStreamData.response.verificationStatus”=PROCESSED then here

| spath "EventStreamData.eventContext.startTime" | search "EventStreamData.eventContext.startTime"="*"

index=audit eventName=503 |"EventStreamData.eventContext.endTime" | search "EventStreamData.eventContext.endTime"="*"

and Stat time and end time average time

woodcock · ‎01-27-2019

If this solution answers this question, then do click Accept (and UpVote the other helpful comments and answers). If you have more/different questions, then the appropriate thing to do is to post new questions.

renjith_nair · ‎01-27-2019

If one of the solutions worked, please accept as answer/upvote.

Didnt understand your second question fully but you are
- trying to calculate average time of each "PROCESSED" job
- eventName=501 represents startTime and 503 represents endtime

Is that correct?

Do you have a job id or any other identifier to identify the PROCESSED jobs so that we can find the duration of each job and then an average?

Something similar to

index=audit (eventName=501 OR eventName=503 ) “EventStreamData.response.verificationStatus”=PROCESSED ('EventStreamData.eventContext.startTime'="*" OR 'EventStreamData.eventContext.endTime'="*")
|stats latest('EventStreamData.eventContext.startTime') as starTime,latest('EventStreamData.eventContext.endTime') as endTime bby jobId
|eval duration=endTime-starTime

---
What goes around comes around. If it helps, hit it with Karma 🙂

vnravikumar · ‎01-26-2019

Hi @vkari

Try this

| makeresults 
| eval verificationStatus="PROCESSED", count =2 
| append 
    [| makeresults 
    | eval verificationStatus="STARTED", count =187] 
| eval{verificationStatus} = count 
| stats list(PROCESSED) as processed,list(STARTED) as started 
| eval percentage = started/processed*100

vkari · ‎01-26-2019

Nope it's wont work for me !

How do i percentage for PROCESSED and STARTED on below query

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud