Solved: Re: Using count as a field for calculation

DerekKing · ‎02-05-2014

Hi,

I have a field "scanned_hosts" that has a value (say 20), and I also have a number of events, which to my understanding is the built in field count.

What I would like to do is create a radial gauge that is a percentage calculation of the two fields. so I want to do something like

index=blah source=blah | eval mypercentage = 100*(count/scanned_hosts) | gauge mypercentage

I can't use my command as it appears I dont have count available to use in the way that I want to use it, and stats count AS mycount doesnt give me what i'm looking for either.

Any Help would be appreciated

Thanks
Derek.

alacercogitatus · ‎02-05-2014

count is only generated during a statistical command.

Try this:

index=blah source=blah | stats count max(scanned_hosts) as scanned_hosts | eval mypercentage = 100 * ( count / scanned_hosts ) | gauge mypercentage

View solution in original post

alacercogitatus · ‎02-05-2014

count is only generated during a statistical command.

Try this:

index=blah source=blah | stats count max(scanned_hosts) as scanned_hosts | eval mypercentage = 100 * ( count / scanned_hosts ) | gauge mypercentage

DerekKing · ‎02-06-2014

Thanks very much. I think you have just cleared up a long time misunderstanding. "count is only generated during a statistical command".

The above works, and is exactly what I was looking for - thanks.

Derek.

Using count as a field for calculation

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor