Hi Splunkers,
please help. I have search where i want to show percentages by host of how many errors (mentioned below) occured on host comparing with other hosts. This is my search, and i get results for all hosts 100%
index=pkg_dummy host IN (*) "[Error] POS Card Validation - Result: Timeout"
| eval host=host | dedup _raw
| rex "\[Error\]\sPOS\sCard\sValidation\s\-\sResult:\s(?<timeout>Timeout)"
| stats count by host AS "TOTAL"
| stats count(eval(timeout)) AS NOK_Transaction by host
| eval FailedTr = round((NOK_Transaction / TOTAL *100),2), FailedTr = FailedTr + "%"
| table host FailedTr
| sort FailedTr desc
Thank you
My bad, i found solution, trick was in
| eventstats sum(count) as TOTAL
Thank you for quick feedback
I am surprised you get anything
| stats count by host AS "TOTAL"
if the wrong syntax and even if it was
| stats count AS "TOTAL" by host
You are left with two columns (host and count) which means
| stats count(eval(timeout)) AS NOK_Transaction by host
Will return zeros
Please clarify what you are actually trying
My bad, i found solution, trick was in
| eventstats sum(count) as TOTAL
Thank you for quick feedback