I am trying to generate a list of the percentages of response codes by resultCode by app. A simplified version of events are: appName=app1, resultCode=500 appName=app1, resultCode=500 appNa...
See more...
I am trying to generate a list of the percentages of response codes by resultCode by app. A simplified version of events are: appName=app1, resultCode=500 appName=app1, resultCode=500 appName=app1, resultCode=404 appName=app2, resultCode=404 ... If I do <initial search that returns the above events> | stats count by appName resultCode it gets me very close to what I am trying to do and outputs something like this to the Statistics tab: appName resultCode count app1 500 25 app1 404 10 app1 200 100 app2 500 14 I need to take this one step further, and have an output that instead of showing the count by resultCode, will instead show the percentage each resultCode comprises by appName. The ideal result is: appName 200 404 500 app1 90 2 8 app2 85 10 5 ... This is ideal, but even if the result was app1, 200, 90 app1, 404, 2 app1, 500, 8 ... (where the columns are appName, resultCode, and percentage (based on the count of events by code for an app over all events for the app) I can get a count of events by appName in a separate query to be able to get to the total, but I am just not finding how to use that specific appName's total used for each of the specific app error values all together. I'm missing how to do | stats count by appName as appTotal | stats count by appName resultCode as appResult | eval resultPerc=rount((appResult*100)/appTotal, 2) and have that show in a table in a way that can be clearly displayed. Thanks for any ideas on what I might be missing here would be appreciated!