Hi
Say I have the following log statements (generated throughout the day):
id=111,type=2,field1=y
id=141,type=23,field1=y
id=131,type=21,field1=n
id=121,type=27,field1=n
...
...
How do I calculate the following?
Number of events with field1='y' / Number of total events for that day
Thanks for your help.
sourcetype=mylogs | stats count(eval(field1=="y")) as ycount, count as totalcount | eval pct=ycount/totalcount
If you don't care about events where field1 doesn't exist at all, you could do:
... | top field1 | search field1=y
Since the top command calculates percentage automatically.
Thanks for the response. Certain events may not have the field and we still want to include them in the count.
sourcetype=mylogs | stats count(eval(field1=="y")) as ycount, count as totalcount | eval pct=ycount/totalcount
Its asking stats to count the number of rows in which the eval expression is true, and return that number into a field called ycount. Then asking it to calculate the total number of rows and return that as a field called 'totalcount'.
Thanks much. Could you explain how this actually works? 🙂
sourcetype=mylogs | timechart count(eval(field1=="y")) as ycount, count as totalcount | eval pct=ycount/totalcount
Thanks. This solution works in calculating the percentage. Is there a way to chart this data over time?