I have a search similar to this that gets me stats that are the first step in what I'm after:
index=balloons
| stats count by COLOR
COLOR Count
Grey 6
Purple 5
Orange 27
Red 8
Blue 1
Yellow 9
But I want to know now is what percentage of those that aren't grey are blue or purple. Something to the effect of this:
(Count(Blue) + Count(Purple))/(Count(Purple)+Count(Orange)+Count(Red)+Count(Blue)+Count(Yellow))
Better yet, like this:
index=balloons
| eval foo="bar"
| chart count OVER foo BY COLOR
| addtotals row=t col=f
| eval ANSWER = (Blue + Purple) / Total
Like this:
| makeresults | eval raw="Grey 6:::Purple 5:::Orange 27:::Red 8:::Blue 1:::Yellow 9"
| fields - _time
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<COLOR>\S+)\s+(?<count>\d+)$"
| fields - _raw
| rename COMMENT AS "Everything above generates sample summary data; everything below is your solution; you would start with 'index=baloons | stats count BY COLOR'"
| eval foo="bar"
| xyseries foo COLOR count
| addtotals row=t col=f
| eval ANSWER = (Blue + Purple) / Total
Try this!
index=balloons| stats count by COLOR
| transpose header_field=COLOR 100
| fields - column
| eval your_field=(Blue+Purple)/(Purple+Orange+Red+Blue+Yellow)
hello there,
not the prettiest solution, but it works.
try the following search anywhere and see screenshot:
| makeresults count=1
| eval data = "Grey,6;Purple,5;Orange,27;Red,8;Blue,1;Yellow,9"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<color>[^\,]+)\,(?<color_count>\d+)"
| table color color_count
| rename COMMENT as "the above generates data below is the solution"
| search color!=Grey
| eventstats sum(color_count) as total
| eval desired_color = case(color=="Blue",1,color=="Purple",1,1==1,0)
| eval desired_sum = color_count * desired_color
| eventstats sum(desired_sum) as desired_total
| eval percent = round(color_count/total*100, 2)
| eval dsired_percent = round(desired_total/total*100, 2)
screenshot:
hope it helps