I have this search:
[search] | stats count by Status Errors | eventstats sum(count) as StatusCount by Status| eventstats sum(count) as TotalCount | search Status = "Failed" | eval percent=100*StatusCount/TotalCount | where percent > 1 | table percent Errors count
Which produces the following result:
percent Error count
1.2 error1 A
1.2 error2 B
1.2 error3 C
Since the percent here is the total error percent, I would like the result to show as the following:
percent 1.2
Error count
error1 A
error2 B
error3 C
Or
Error count percent 1.2
error1 A
error2 B
error3 C
Can this be done?
This is ugly, and not quite what you're looking for but ...
$SEARCH | stats count by Status Errors
| eventstats sum(count) as StatusCount by Status
| eventstats sum(count) as TotalCount | search Status = "Failed"
| eval percent=100*StatusCount/TotalCount | where percent > 1
| table percent Errors count
| appendpipe [ | stats max(percent) as count | eval Errors="percent" ]
| fields - percent
This is ugly, and not quite what you're looking for but ...
$SEARCH | stats count by Status Errors
| eventstats sum(count) as StatusCount by Status
| eventstats sum(count) as TotalCount | search Status = "Failed"
| eval percent=100*StatusCount/TotalCount | where percent > 1
| table percent Errors count
| appendpipe [ | stats max(percent) as count | eval Errors="percent" ]
| fields - percent
Thanks, although a bit ugly, but it is very close to what I am looking for.
Hi jgcsco
try this search code
[search] | stats count by Status Errors | eventstats sum(count) as StatusCount by Status| eventstats sum(count) as TotalCount | table Errors count|appendcols[search Status = "Failed" | eval percent=100*StatusCount/TotalCount | where percent > 1 |dedup percent| table percent]
Thanks, I was wondering if there is a way to avoid using "appendcols".