- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi , I have 2 queries :
index="bar_*" sourcetype =foo crm="ser"
| dedup uid
| stats count as TotalCount
and
index="bar_*" sourcetype =foo crm="ser" jet="fas"
| dedup uid
| stats count as TotalFalseCount
I need both of these queries merged and then take "TotalCount" and "TotalFalseCount" and get value from these as : ActualPercent= (TotalFalseCount/TotalCount)*100.
I created one query as below:
index="bar_*" sourcetype =foo crm="ser"
| dedup uid
| stats count as TotalCount by zerocode SubType
| appendcols
[searchindex="bar_*" sourcetype =foo crm="ser" jet="fas"
| dedup uid
| stats count as TotalFalseCount by zerocode SubType]
| eval Percent=(TotalFalseCount/TotalCount)*100
| stats count by zerocode SubType Percent
but the value of "Percent" is completely wrong, can anybody help to know how can I get proper value of "Percent" in above case ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With Minor modification it exactly helped to do what I was looking for :
index="bar_*" sourcetype =foo crm="ser"
| dedup uid
| stats count as TotalCount by zerocode SubType
| append
[search index="bar_*" sourcetype =foo crm="ser" jet="fas"
| dedup uid
| stats count as TotalFalseCount by zerocode SubType]
| stats values as * by zerocode SubType
| eval Percent=(TotalFalseCount/TotalCount)*100
| eval Percentage = round('Percent',2)
| xyseries SubType zerocode Percentage
| fillnull value="NA"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway -- You are awesome ! Thanks a lot !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One problem with the appendcols command is it depends on the order of results being identical in both queries, which is not likely.
Use the append command instead then combine the two set of results using stats.
index="bar_*" sourcetype =foo crm="ser"
| dedup uid
| stats count as TotalCount by zerocode SubType
| append
[search index="bar_*" sourcetype =foo crm="ser" jet="fas"
| dedup uid
| stats count as TotalFalseCount by zerocode SubType]
| stats values(*) as * by zerocode SubType
| fillnull value=0 TotalFalseCount
| eval Percent=(TotalFalseCount/TotalCount)*100
| stats count by zerocode SubType Percent
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With Minor modification it exactly helped to do what I was looking for :
index="bar_*" sourcetype =foo crm="ser"
| dedup uid
| stats count as TotalCount by zerocode SubType
| append
[search index="bar_*" sourcetype =foo crm="ser" jet="fas"
| dedup uid
| stats count as TotalFalseCount by zerocode SubType]
| stats values as * by zerocode SubType
| eval Percent=(TotalFalseCount/TotalCount)*100
| eval Percentage = round('Percent',2)
| xyseries SubType zerocode Percentage
| fillnull value="NA"
