Solved: Weight host using lookup table.

jevenson · ‎04-15-2013

I'm trying to get a weighted ratio of errors per server. I have a lookup table like this:

host,percent
server1,25
server2,25
server3,50

Normally I'd do something like sourcetype=iis sc_status=500 [| inputlookup ratio | fields host] | chart count by host, which gives me a count of errors by server, but I want a weighted count based on that percent.

How would I use the lookup table to multiply the errors on a per server basis?

Ayn · ‎04-15-2013

Hi! 🙂

So, if what you want to do it multiply the count by the defined percent value for each of these hosts, you could do something like:

sourcetype=iis sc_status=500 [| inputlookup ratio | fields host] | lookup yourlookuptable host OUTPUT percent | chart count by host | eval weightedcount=count*percent/100

View solution in original post

Ayn · ‎04-15-2013

Hi! 🙂

So, if what you want to do it multiply the count by the defined percent value for each of these hosts, you could do something like:

sourcetype=iis sc_status=500 [| inputlookup ratio | fields host] | lookup yourlookuptable host OUTPUT percent | chart count by host | eval weightedcount=count*percent/100

Weight host using lookup table.

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Weight host using lookup table.

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...