Hullo,
I have a set of messages as data which are various events being sent from an app. Every single message has the user_id field, and some of them have a log_info field, which indicates that the message was sent to indicate an error. I want to find out what percentage of users are encountering errors over the past X minutes.
Here's what I have so far.
source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id)]/users
I retrieve all the messages from the app initially, and then store a distinct count as 'users'. I run an eval to divide my subsearch by users. My subsearch does the same thing as the initial search, except further narrows down to only the messages with errors.
I've checked and both the searches work. In addition, if I run something like eval percent=users*50 it works fine, so I know that the datatype returned by stats dc() can be plugged into eval. Not sure what I could be doing wrong.
Thanks for any help!
You can use return
like this, too:
source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id) as errs | return $errs]/users
Figures that after a couple hours of trying, I'd figure it out 30 minutes after posting.
source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id) as errs | rename errs as query]/users
This works. Next up is finding out how to make it play nice with timechart instead of stats.
Thanks!
Have been looking for this for days..
("query" as a column name for returning values to eval expressions..)
Is that anywhere in the documentation?