Hello all, Currently I have acquired a timechart in the format: Field_A / Field_B / Field_C / Field_D / Total //// 10 ///////// 20 ///////// 15 ////////// 5 //////// 50 etc. using the | addtotals command. I would like to somehow change each column to represent a percentage of the total to wind up with something like: Field_A / Field_B / Field_C / Field_D //// 0.2 //////// 0.4 //////// 0.3 ///////// 0.1 Thanks very much. Any help would be greatly appreciated! ... View more

Hello all, I've seen examples of how to find time between events using streamstats , and also to find the time since the most recent event using stats , but how would I accomplish doing both? Ultimately I'm trying to detect a loss of information that's reported every 10 minutes, so I'm using streamstats to search for differences of > 10 min, however this "outage" isn't detected until after the data is reported again, thus giving streamstats two items to actually compare. I need all of these deltas, and also the time since the most recent as occurred. Thanks, and here's some code I have: search | streamstats current=t last(_time) as last_time by field | eval outage= last_time - _time | eval outage=tostring(outage, "duration") | table field _time outage ... View more

Hello all. I have calculated measures of a given statistic for a variety of values for the field "Link", and I need to keep the top 99% of values for each Link, and then find the average/minimum of what is left over. Any idea how to do that? I tried sorting, then dedup X Link to return the top X values, but the problem is each link has a different number of points. Any help would be greatly appreciated! ... View more