Hi guys! i'm going crazy trying to find a way to solve this problem.
I'm trying to find the percentage of Non Cleaned Malware from my AV log. For that i have a field that contains the legends of "Cleaned", "Quarantined", "Unable to Clean", "Unable to Quarantine", "Unable to handle", etc.
For me, all the events that has a result like "Unable to *" are non contained detections, so i made this search to compare the results and have the percentage value:
source=malware.csv | stats count as total | append [search source=malware.csv Result="Unable to *" | stats count as nocont | eval resultado=nocont/total*100] |table nocont
the result must be a Single Value with a number like "20%"
Any suggestions?
How about this?
source=malware.csv | stats count as total | appendcols [search source=malware.csv Result="Unable to *" | stats count as nocont ]| eval resultado=nocont/total*100 |table nocont
You can use eventstats to get the total events containing Result field. Then filter only Results containing "Unable to*" pattern:
index=_internal Result=*
| eventstats count as total
| search Result="Unable to *"
| stats count as nocont values(Result) as Results last(total) as total
| eval resultado=round((nocont/total)*100,0)
| table Values nocont total resultado
This answer is also correct. Thank's a lot for you help! 😃
Please run both search with appendcols and with nested search. Check in Job Inspector for better performance.
How about this?
source=malware.csv | stats count as total | appendcols [search source=malware.csv Result="Unable to *" | stats count as nocont ]| eval resultado=nocont/total*100 |table nocont
It worked!!! You are amazing. Thank's a lot for you help! 😃