Hello everyone,
I'm trying to consolidate the percentage of errors per day using the query below, but this is not happening
The selected period is the last seven days.
index="index" | timechart count(type) as SENT, count(eval(type="b")) as ERROR | eval PERCENT=((ERROR*100)/SENT) | table PERCENT
Please tell me what can be wrong in this query.
Thank you,
The only problem I'm seeing here is that in your final | table
you're not including the _time
field. Otherwise, this should work exactly as you expect it to. I recommend doing | table _time PERCENT
to keep the date included in your final results.
If this doesn't help, can you be more specific about what you're seeing, and how it isn't correct?
The only problem I'm seeing here is that in your final | table
you're not including the _time
field. Otherwise, this should work exactly as you expect it to. I recommend doing | table _time PERCENT
to keep the date included in your final results.
If this doesn't help, can you be more specific about what you're seeing, and how it isn't correct?
Hi emiller42,
I appreciate your answer, but it doesn't work some like I need.
Following your suggestion, I have this information:
_time PERCENT
10/21/14 10:33:00.000 AM 1.42
10/21/14 10:34:00.000 AM 0.49
10/21/14 10:35:00.000 AM 0.27
But, I'm looking something like this:
DATE PERCENT
10/21/2014 5.00
10/20/2014 3.50
10/19/2014 2.25
I still did not get the expected result.
Are you still doing the timechart
portion of your search? If so, and your search timeframe is over 7 days, it should automatically bucket by day. You can force the bucketing like so: ...| timechart span=1d ...
if needed.
I would like to thank you for your help. The search it is working well.