"Carrier Failure: provider_name=*"
| dedup application_id | stats count AS total_carrier_errors
| append
[search host="prod-celery-gateway-0*" sourcetype="supervisor"
"driver dispatch_request: Sending request to" NOT failed
| stats count AS total_requests]
| table total_carrier_errors total_requests
| eval carrier_errors_percent=(total_carrier_errors/total_requests*100)
Can anyone guide me with this?
Thank You!
Is there a specifics source type the the first one can be referenced against?
I find the following approach to work best: I write two independent searches to bring the datasets we want.
Write a search to do an OR statement ((Search1 ) OR (Search2 )) pipe to stats I have done counts against matches on sourcetype. In your example I don't know if the first search as an exact sourcetype. I did example stating "firstsourcetype" as a variable to replace twice in the search with the actual sourcetype to be used:
The following search is intended to search both searches and then | stats (count matches by sourcetype or no by clause as necessary based on objective, then do the eval then table
( sourcetype="firstsourcetype" "Carrier Failure: provider_name=*" ) OR
( sourcetype="supervisor" host="prod-celery-gateway-0*" "driver dispatch_request: Sending request to" NOT failed )
| stats count(eval(LIKE(sourcetype,"firstsourcetype"))) as total_carrier_errors, count(eval(LIKE(sourcetype,"supervisor"))) as total_requests
| eval carrier_errors_percent=(total_carrier_errors/total_requests*100)
| table total_carrier_errors total_requests
No this will not help me. Actually, my problem is different from this one I want to run two separate queries one will return me the total number of requests and the second query will return me the number of the failed requests and then I want to calculate the percentage based on these two returned values.