Need a way to select only specific events from the list of events, so here the example I have a query on iis logs which gives me around say 60000 events so I want to select every 12th event from the the searched 60 events to do stats on those filtered events.
Not sure I get it. Do you want to count of total search results in a field so that you can do some calculation (like percentage calculation) on it?
If above is true, you can use eventstats command to add aggregation in a new field, without changing/aggregating the search results.
e.g. This will give you field totalEvents with total events before the filter.
your base search | eval sno=1 | accum sno | eventstats count as totalEvents | where floor(sno/12)=(sno/12) | rest of your search
That's similar to what I am looking for, but am facing issue here. In the above thing, I want to decide number 12 by doing math with total events:
your base search | eval sno=1 | accum sno | eventstats count as totalEvents |eval div=totalEvents /5000 |where floor(sno/div)=(sno/div) | rest of your search
but it's not giving me correct results!
Need to get a sample size of 5000 events to calculate mean and Standerddeviation for each day fro last 60 days, so in order to get get a random sample of 5000 events and calculating total events and then div is the floor (totalevents/5000) Then as I get this, I am picking each event based on div (like 12 before).
I am able to get it like this:
your base search | eval sno=1 | accum sno | eventstats count as totalEvents |eval div=floor(totalEvents /5000) |where floor(sno/div)=(sno/div) | head 5000| timechart span=1d avg(filedx) stddev(filedx)..
Is there anything wrong with this search?