source="/home/splunk/nagios_temp/var/nagios.log" NGTC*P OR NGTC*S status_code="DOWN" OR "CRITICAL" OR "HARD" NOT OK NOT SOFT | dedup 1 host_name sortby -_time | transaction maxspan=5s maxpause=>300s | lookup TCSiteXref.csv host_name OUTPUT site_name, site_weight, total_weight | search site_name=* | stats min(site_weight) as site_weight min(total_weight) as total_weight by site_name | eval availability_metric=(total_weight/site_weight) | fields availability_metric, site_name | top availability_metric availability_metric count percent 703.492374 3 33.333333 684.983196 1 11.111111 671.700154 1 11.111111 658.223864 1 11.111111 530.223672 1 11.111111 436.152859 1 11.111111 305.26611 1 11.111111 Want site_names (field) to the left. And after all that I will have to get an overall percentage (only equals 99.999999% I realize) to show in a panel. Thanks ... View more

Thanks for your answer. I have bee n playing with top for percentages. Percentages(is supposed to equal)=the value of weight. I did try | top site_name by availability_metric which produces a backwards percentage i.e. meaning the availability(metric) is a lower number with a high percentage and all are "counts" of one. So to your point just doing the | top (availability) after the eval produces a correct percentage of availability but no site_names field - tried fields site_name to no avail ... View more