HI Guys.
I have a search that shows our HTTP code errors and do a error percentage of that based on total value of requisitions, what i need to do is split this results on dates, look below the code:
message = "Request LOG" (path="*purchase*" OR path="*buy*") earliest=-3h | stats count by statusCode | eventstats sum(count) as total | eval percent = round(100*(count/total),2) . " %" | search (statusCode=5*) | eventstats sum(count) as errortotal | eval errper = round(100*(errortotal/total),2) | fields - errortotal, total
How could i do that?
Try like this
message = "Request LOG" (path="*purchase*" OR path="*buy*") earliest=-3h | eval errors=if(like(statusCode,"5%"),1,0)
| timechart span=1d count as total sum(errors) as errortotal | eval errper = round(100*(errortotal/total),2)
| table _time errper
What to do depends a lot on how you want the final visualization to look. Based on your code, I'm assuming that any statusCode that starts with 5 is an error. The first part of this sample code just generates a bunch of random events that have statusCodes from 0A-7D and dates from 2/1 through 2/27...
| gentimes start="02/01/2017:00:00:00" end="02/27/2017:01:00:00" increment=7h
| eval _time =starttime
| eval statusCode="A B C D A B C A B C D A B C D A B C C D A D A B C D A B C D A C D A B C D A B C D"
| eval rand1=random()%10 | eval rand2=11+2*random()%15
| eval statusCode=substr(statusCode,rand1,rand2)
| makemv statusCode
| mvexpand statusCode
| eval rand3=random()%8
| eval statusCode=rand3.statusCode
| table _time statusCode
This part calculates for each statusCode that starts with 5, the percentage of that day's events made up of that statusCode
| bin _time span=1d
| stats count as DayStatusCount by _time statusCode
| eventstats sum(DayStatusCount) as DayTotalCount by _time
| search (statusCode=5*)
| eval percent=round(100*(DayStatusCount/DayTotalCount),2)
| table _time statusCode percent
This part adds a record for each day with the total percentage of that day's events that are errors
| appendpipe [|stats sum(percent) as percent by _time | eval statusCode = "All Errors"]
This part presents the results...
| sort 0 _time statusCode
| timechart sum(percent) as percent by statusCode
Try like this
message = "Request LOG" (path="*purchase*" OR path="*buy*") earliest=-3h | eval errors=if(like(statusCode,"5%"),1,0)
| timechart span=1d count as total sum(errors) as errortotal | eval errper = round(100*(errortotal/total),2)
| table _time errper
Somesoni2 i still need the statusCode count and the total sum in the chart with the errper presentation
Do you know how to do that?
You mean a column for each error status code or just the error count and total count values for that day ? If it's later, then just remove the last table command.