Hi,
I am using a search
Mysearch
|eval Guest=if(sid=22,BOT,Others)
| convert timeformat="%Y-%m-%d" ctime(_time) AS date
|chart count over Guest by date
And the results is like below.
Guest 2024-12-18 2024-12-19
BOT 10 20
Others 90 80
Now I want to display the percentage of activity by Guest over date
Maybe something like below
Guest 2024-12-18 2024-12-19
BOT 10 (10%) 200(20%)
Others 90 (90%) 800(80%)
Could someone possible help here?
Many thanks
Hello hello!
There may be a simpler way to get this working, but my first thought is to use something like this:
Mysearch
| eval Guest=if(sid=22, "BOT", "Others")
| convert timeformat="%Y-%m-%d" ctime(_time) AS date
| stats count by date, Guest
| eventstats sum(count) as total by date
| eval percentage=round((count/total)*100, 0)
| eval count=count." (".percentage."%)"
| xyseries Guest date count
Edit: Yep, here is a version that's a little shorter:
Mysearch
| eval Guest=if(sid=22, "BOT", "Others")
| bin _time span=1d
| stats count by _time Guest
| eval
total=count,
percentage=round((count/total)*100, 0),
count=count." (".percentage."%)"
| xyseries Guest _time count
Hello hello!
There may be a simpler way to get this working, but my first thought is to use something like this:
Mysearch
| eval Guest=if(sid=22, "BOT", "Others")
| convert timeformat="%Y-%m-%d" ctime(_time) AS date
| stats count by date, Guest
| eventstats sum(count) as total by date
| eval percentage=round((count/total)*100, 0)
| eval count=count." (".percentage."%)"
| xyseries Guest date count
Edit: Yep, here is a version that's a little shorter:
Mysearch
| eval Guest=if(sid=22, "BOT", "Others")
| bin _time span=1d
| stats count by _time Guest
| eval
total=count,
percentage=round((count/total)*100, 0),
count=count." (".percentage."%)"
| xyseries Guest _time count
Awesome!
Please try:
index=<yourindex> sid=*
|eval Guest=if(sid=22,BOT,Others)
| bin _time span=1d
| eventstats count as totalevents by _time
| eventstats count as guest_count by Guest
| eval percentage=round((guest_count/totalevents)*100,2)
| eval final_field = guest_count. "(" .percentage. " %)"
| eval time=strftime(_time, "%Y-%m-%d")
| chart values(final_field) over Guest by time