I am trying to a radial gauge to report a percentage. I've built my search and the field that I want to report on has 4 different values.
I have my basic search and then the following:
| stats count by myfield | gauge count by myfield=normal*
which gives me a gauge value of 4 but that only reflect the total different values of the field "severity".
I've tried to place an eval but it doesn't take
| stats count myfield1 as (search severity=normal)
| stats count myfield2 as (search severity="*")
| eval myfield=100*(myfield1/myfield2)
| gauge myfield
I used something like this:
search
| dedup ID
| eval breached = if(SLA = "Breached", 1, 0)
| eval active = if(SLA = "Active", 1, 0)
| eval met = if(SLA = "Met", 1, 0)
| eval total = 1
| stats sum(breached) AS sum_breached, sum(active) AS sum_active, sum(met) AS sum_met, sum(total) AS sum_total
| eval perc_breached=((sum_breached/sum_total)*100)
| eval perc_active=((sum_active/sum_total)*100)
| eval perc_met=((sum_met/sum_total)*100)
| gauge perc_met
This really helps. Now what I'm trying to do is timechart these percentages, however the timechart function only seems to work on registered fields.
Something like this should work:
index=bar severity=* | eval foo=if(severity=="normal",1,0) | stats count as total, sum(foo) | rename sum(foo) as foo | eval percfoo=100*(foo/total) | gauge percfoo
Hope this helps,
d.