I am afraid but i dont want to collective count using eventstats I want Total count per catcode

OK I am confused - you want the total count by catcode? This is what the eventstats by catcode is doing. How are you using it, if it is not giving you what you expect?

event stats counts all events...meaning if I put catcode=AB with catcode=CD The total will remain the same for all catcodes lets say 100

But I want catcode count as 20 which for catcode=AB only and then if out of 20 catcode=AB has 4 failed as Errors  then its 5/20

Please share the SPL that gives you that result

yes, here this one is working but now I am unable to find how to keep top 10 only

head or top limit gets no impact on it

index=xyz (catcode="*") (prodid="1") success="*"
| bucket _time span="15m"

| eval TheError=if(success="false" AND Error="*",count,0)
| eval Success=if(success="true",count,0)
| stats sum(Error) as "Failed", sum(Success) as "Passed", sum(count) as Total by _time, catcode
| eval Failed_Percent=round((Failed/Total)*100,2)
| fields _time, catcode, Failed_Percent
| xyseries _time, catcode, Failed_Percent


Now this is working super fine if I mention different catcode like (catcode=AB OR catcode=CD OR catcode=XY)

but the moment I do catcode=*


it still works but shows all the catcodes trend lines making the graph messy and congested.....

What is not working here is the top limit or head command

if you can figure that out pls

Can you check 

index=xyz catcode="*" (prodid="1") (prodcat="*") success="*"

| eval TheError=if(success="false" AND catcode="RA",count,0)
| timechart span="15m" eval(round(sum(TheError)*100/sum(count),2)) by catcode useother=f

This one could be used with multiple codes, it shows correct % for RA but also shows other catcodes as '0' is there a way to hide others that are showing as "0"

Thanks a lot but I am afraid I cant use the rex ... its disabled

Hello @gcusello 

I found a workable query but a challenge again (describe below) in case you know how to tackle it


here this one is working but now I am unable to find how to keep top 10 only

head or top limit gets no impact on it

index=xyz (catcode="*") (prodid="1") success="*"
| bucket _time span="15m"

| eval TheError=if(success="false" AND Error="*",count,0)
| eval Success=if(success="true",count,0)
| stats sum(Error) as "Failed", sum(Success) as "Passed", sum(count) as Total by _time, catcode
| eval Failed_Percent=round((Failed/Total)*100,2)
| fields _time, catcode, Failed_Percent
| xyseries _time, catcode, Failed_Percent


Now this is working super fine if I mention different catcode like (catcode=AB OR catcode=CD OR catcode=XY)

but the moment I do catcode=*


it still works but shows all the catcodes trend lines making the graph messy and congested.....

What is not working here is the top limit or head command

if you can figure that out pls

Hi @beriwalnishant,

the easiest way is to use a larger span in buckets command: e.g. 30 or 60 minutes instaed 15 or you could also sort and use head.

I don't know your full requirements.

Ciao.

Giuseppe

intend to use large only but just for example and testing.

see this graph  - large or small .... all catcode are shown....with above query the only struggle is to be able to only limit the number of carriers - rest the query is fine