Hi,
I have this query
earliest=-6w@w1 index=top10 source=/home/oracle/workdir/account_log.csv STATUS="Reason*"|transaction PREMISE maxspan>19d|eventstats count as grandtotal|eventstats count as ptotal by STATUS|chart sparkline(count) as Trend count(STATUS) as Count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by STATUS | sort -Count
And everything works except for the Percentage near the end. I get multiple values in the Percentage column where the Trend and Count columns are just fine
Try this
earliest=-6w@w1 index=top10 source=/home/oracle/workdir/account_log.csv STATUS="Reason*"
| transaction PREMISE maxspan>19d
| eventstats count as grandtotal
| chart sparkline(count) as Trend count(STATUS) as Count max(grandtotal) as gtotal count as ptotal by STATUS
| eval Percentage=round(ptotal/gtotal*100, 2)
| sort -Count
Try this
earliest=-6w@w1 index=top10 source=/home/oracle/workdir/account_log.csv STATUS="Reason*"
| transaction PREMISE maxspan>19d
| eventstats count as grandtotal
| chart sparkline(count) as Trend count(STATUS) as Count max(grandtotal) as gtotal count as ptotal by STATUS
| eval Percentage=round(ptotal/gtotal*100, 2)
| sort -Count
That worked perfectly!!!! Thanks Sundareshr!!!!
Looks like this
Trend Count Percentage
(sparkline is here) 2791 0.05
0.15
0.25
0.41
0.82