I have current search
index="intau_workfusion" host=* sourcetype="services_status.out.log" service="HTTP/1.1" status=* | chart count by status
when I run it and save as pie chart I am able to get the percentage of the different status code status's, but I want it in table format and I cant divide by total when doing my eval status as all the other status codes still fall under "status" how can I solve this?
sorry the first answer was correct, this is a different issue
heres my query index="intau_workfusion" host=* "crash" | chart count by host status
so I want to be able to display a zero if a host returns no results
thank you it's working, i forgot to mention that it has to display 0 for hosts that do not have any results, ive tried fillnull and its not working
OK that puts a different spin on it
| chart count by host status
| addtotals
| eval "200" = 100 * '200'/Total
| fields host 200 Total
| append
[ <search to list all the hosts you are interested in> ]
| fillnull value=0
| stats sum(*) as * by host
| chart count by status
| eventstats sum(count) as total
| eval percent=100*count/total