I have the following SPL and I want to show table below. The value of Total must be equal to count of events (1588). How can I pur the total count of events into Total variable?
index=abc
| stats count as Count by reason_code
| where reason_code != "false"
| addtotals col=t labelfield=reason_code label="Retrieval task cancelled" fieldname="Percentage"
| eval "Percentage"= round((Count/Total) * 100,2)."%"
Hi
Did this help you?
index=abc
| stats count as Count by reason_code
| eventstats sum(Count) as Total
| where reason_code != "false"
| addtotals col=t labelfield=reason_code label="Retrieval task cancelled" fieldname="Percentage"
| eval "Percentage"= round((Count/Total) * 100,2)."%"
r. Ismo
Hi
Did this help you?
index=abc
| stats count as Count by reason_code
| eventstats sum(Count) as Total
| where reason_code != "false"
| addtotals col=t labelfield=reason_code label="Retrieval task cancelled" fieldname="Percentage"
| eval "Percentage"= round((Count/Total) * 100,2)."%"
r. Ismo
Hi Ismo,
your solution works. Thanks! 🙂