This is my search so far.
sourcetype="spam" |eventstats count as total|search block_code="*" |eventstats count as blocked|eval blk_prcnt=round((blocked/total)*100,2)|timechart span=1m values(blk_prcnt)
It seems to print the total percentage over the last 15 minutes that I am running it on.
I thought eventstats keeps all data, but it seems like something is getting lost?
Goal is a table or chart of total, blocked, and blk_prcnt for every minute.
Was starting slow and looking to get blk_prcnt every minute, for a 15 minute interval.
TIA,
-ALF
You're filtering events ( |search block_code="*"
) and that may be reason for incomplete results. Give this a try
sourcetype="spam" |eventstats count as total, count(block_code) as blocked|eval blk_prcnt=round((blocked/total)*100,2)|timechart span=1m values(blk_prcnt)
If you want a table with blk_prcnt for calculated for each minute, you need to include time into equation . Something like this
sourcetype="spam" | timechart span=1m count as total, count(block_code) as blocked |eval blk_prcnt=round((blocked/total)*100,2)
You're filtering events ( |search block_code="*"
) and that may be reason for incomplete results. Give this a try
sourcetype="spam" |eventstats count as total, count(block_code) as blocked|eval blk_prcnt=round((blocked/total)*100,2)|timechart span=1m values(blk_prcnt)
If you want a table with blk_prcnt for calculated for each minute, you need to include time into equation . Something like this
sourcetype="spam" | timechart span=1m count as total, count(block_code) as blocked |eval blk_prcnt=round((blocked/total)*100,2)
the 2nd one you gave worked, the 1st one was no different than my original one.
thank you.
I need to run this over the last year, so need to look into what commands are most efficient.
-ALF
Do you need span=1m for last year as well??
No, i will do span=1mon
-ALF
I think something with buckets could work for you:
sourcetype="spam"
| bucket _time span=1m
| stats count AS total, count(eval(isnotnull(block_code))) AS blocked by _time
| eval blk_prcnt=round((blocked/total)*100,2)
that worked Awesome, wish i understood it ????
how the hec did you get blk_prcnt into the output table?
i'm guessing the stats command put the other 2 "total" and "blocked" into the table.
Guess i got a lot of manual reading to do.
-ALF