Hi,
I need a help in creating a field using/grouping sum of 2 existing fields .
Ex:
field 1- count_of_true(These will have independent counts for each services)
fields 2 - count_of_false(These will have independent counts for each services)
I am looking for a fields status which has sum(count_of_true) as true & sum(count_of_false) as false as below after a stats like( |stats count by status)
Status count
true 212
false 313
I tried using transpose ,but the stats gives unexpected value ,
To be honest I'm not sure what you're trying to achieve and from what kind of data.
Do you have various fields in your events that each can have a value of true and false? And do you want to do an aggregate stats over all fields over all events?
Or do you want to have a stats value for each event over all fields of that event?
Or something else?
Hi PickleRick,
The below one is the one which triggered that.
I have to get % of 2 and 3 values in a same field .
Status count
True 200
False 50
Error 10
exc 5
temp 6
Total 271
I need to get true% by true+error /Total * 100 and False% by False+exc+temp/Total*100.
Please help me with the solution .
Please help me to get solution for this .
Hi
@kamlesh_vaghela 's answer should work. You just need to update field names if needed etc.
Here is one query which you can use as start point with your testing.
index=_internal earliest=-1h
| stats count(eval(component="Metrics")) as true count(eval(component="ProcessTracker")) as false
This should give you some values if you have access to _internal index. If not then just replace index name and those evaluation conditions (component="Metrics") with your field and wanted value of that field.
r. Ismo
Hi Ismo,
Thank you !!
| stats count(eval("Status"="True")) as True count(eval("Status"="False")) as "False"
I am getting ,
True False
0 0
Please help me out
hi @dtccsundar,
This might give you what you asked.
| makeresults
| eval count_of_true=212, count_of_false=313
| eval count=mvzip(count_of_true, count_of_false), count=split(count, ","), Status=split("true,false", ","), zip=mvzip(Status, count)
| mvexpand zip
| eval zip=split(zip, ","), Status=mvindex(zip, 0), count=mvindex(zip, 1)
| table Status, count
If this reply helps you, a like would be appreciated.
Thank you manjunathmeti ,
It gives count of each service (true and false ) and the the sum of (true and false)
| eval count_of_true=212, count_of_false=313
This is dynamic value which i will get after sum(true) and sum(false) and not the static one .
is there any other way ?
Are you looking for this? Just update your stats command.
| stats count(eval(Status="true")) as true count(eval(Status="false")) as false
KV
Thank you kamlesh_vaghela,
When i tried this i am getting the count as 0 for both true and false .
Adding to that ,
Sum(true) and sum(false) for each service is my need .
Any other way to achieve this ?