Here is my current query. I either get the Totals label in the last column or not at all. I need it to show in the first column at the beginning of the Totals row. Any help is greatly appreciated. Thanks.  index=etims_na sourcetype=etims_prod platformId=5 bank_fiid=CHUA | eval response_time=round(if(strftime(_time,"%Z") == "EDT",((j_timestamp-entry_timestamp)-14400000000)/1000000,((j_timestamp-entry_timestamp)-14400000000)/1000000-3600),3) | stats count AS Transactions count(eval(response_time <= 1)) AS "Good" count(eval(response_time <= 2)) AS "Fair" count(eval(response_time > 2)) AS "Unacceptable" avg(response_time) AS "Average" BY bank_fiid | eval "%Good"=(Good/Transactions)*100 | eval "%Fair"=(Fair/Transactions)*100 | eval "%Unacceptable"=(Unacceptable/Transactions)*100 | addinfo | eval "Report Date"=strftime(info_min_time, "%m/%Y") | table bank_fiid, "Transactions", "Good", "%Good" "Fair", "%Fair", "Unacceptable", "%Unacceptable", "Average", "Report Date" | rename bank_fiid as "Vision ID" | addcoltotals label=Total | append [|makeresults | eval "Vision ID"="Threshold" | eval "Good" = "response <= 1s" | eval "Fair" = "1s < response <= 3s" | eval "Unacceptable" = "3s < response"] | fields - _time ... View more

I'm trying to achieve the following output using the table command, but am hitting a snag.  Vision ID Transactions Good % Good Fair % Fair Unacceptable % Unacceptable Average Response Time Report Date ABC STORE (ABCD) 159666494 159564563 99.9361601 101413 0.063515518 518 0.000324426 0.103864001 Jul-24 Total 159666494 159564563 99.9361601 101413 0.063515518 518 0.000324426 0.103864001 Jul-24                     Thresholds   response <= 1s   1s < response <= 3s 3s < response       Here is my broken query: index=etims_na sourcetype=etims_prod platformId=5 bank_fiid = ABCD | eval response_time=round(if(strftime(_time,"%Z") == "EDT",((j_timestamp-entry_timestamp)-14400000000)/1000000,((j_timestamp-entry_timestamp)-14400000000)/1000000-3600),3) | stats count AS Total count(eval(response_time<=1)) AS "Good" count(eval(response_time<=2)) AS "Fair" count(eval(response_time>2)) AS "Unacceptable" avg(response_time) AS "Average" BY Vision_ID | eval %Good= round((Good/total)*100,2), %Fair = round((Fair/total)*100,2), %Unacceptable = round((Unacceptable/total)*100,2) | addinfo | eval "Report Date"=strftime(info_min_time, "%m/%Y") | table "Vision_ID", "Transactions", "Good", "%Good" "Fair", "%Fair", "Unacceptable", "%Unacceptable", "Average", "Report Date" The help is always appreciated. Thanks! ... View more

When using regex how can I take a field formatted as "0012-4250" and only show the 1st and lat 3 digits? I tried the following in which maintains the original output: | eval AcctCode = replace(AcctCode,"(\d{4}-)(\d{4})","\1\2") ... View more

Stuck again and not sure what I'm missing... I have the first two steps, but cannot figure out the syntax to use Timechart to count all events as a specific label. Any help is greatly appreciated.  The Task:  Use timechart to calculate the sum of price as "DailySales" and all count all events as "UnitsSold". What I have so far:  index=web sourcetype=access_combined status=200 productId=* |timechart sum(price) as DailySales ... View more

How do I add a  new field and set the value to seven days ago from the current date, snapped to the beginning of the current date? I know the date syntax should be "earliest=-7d@d", but am unsure if I should use the eval command to add the field and the specific syntax. Thanks.  ... View more