Greetings Community Experts
I have a group of devices that each should report state to a portal every 10 seconds. If a device fails to report for 6 periods - one minute, I am categorizing the device as disconnected. The time period is a workday of 6:30 AM - 6:30 PM (12 hours / 720 minutes). I am trying to use the search results to generate a percentage of connected devices. The calculation fails in the last step. Requesting your assistance to develop a working search. Here is the search I am using. Thanks in advance!
index=test earliest=-2d@d+6h+30m latest=-1d@d-5h-30m
| bucket span=1m _time
| stats count by _time, SerialNumber
| eval state=if(count>=1, "Con", "Dcon")
| stats count by SerialNumber, state | eval status=case(count=720, "Connected", count<720, "Disconnected")
| stats count by status
| eval Percent=round((Connected-Disconnected)/Connected*100, 2)."%"
I was able to obtain the results I desired with this search
index=test earliest=-1d@d+6h+30m latest=-0d@d-5h-30m | stats count by SerialNumber | stats count(eval(count>=4314)) as Con count(eval(count<4314)) as Dcon | eval Percent=round((Con)/Dcon*10, 2)."%" | fields Percent
I was able to obtain the results I desired with this search
index=test earliest=-1d@d+6h+30m latest=-0d@d-5h-30m | stats count by SerialNumber | stats count(eval(count>=4314)) as Con count(eval(count<4314)) as Dcon | eval Percent=round((Con)/Dcon*10, 2)."%" | fields Percent