I have a search that works correctly when specific field values are entered but would like to create a report for the same search for all of the field variations. This would be similar to different hosts however it is using fields that are populated by an autolookup. Here is the search syntax that works correctly:
tag=TagA field1=A field2=B Field3=C | eval flt=if(ds_name=="X", ds_value, NULL) , flr=if(ds_name=="Y", ds_value, NULL)| sort 0 _time | delta flt as flt_delta | delta flr as flr_delta | eval min=0 | eval fltd_corrected=if(flt_delta<0,NULL,flt_delta) | eval flrd_corrected=if(flr_delta<0,NULL,flr_delta) | stats sum(fltd_corrected) as fltd_total sum(flrd_corrected) as flrd_total | eval fls=(fltd_total-flrd_total) | eval flp=(flrd_total/fltd_total)*100
This outputs fltd_total flrd_total flp fls
I would like to change this to something close to: (this does not work because the delta does not know what specific events to use.
tag=TagA | eval flt=if(ds_name=="X", ds_value, NULL) , flr=if(ds_name=="Y", ds_value, NULL)| sort 0 _time | delta flt as flt_delta | delta flr as flr_delta | eval min=0 | eval fltd_corrected=if(flt_delta<0,NULL,flt_delta) | eval flrd_corrected=if(flr_delta<0,NULL,flr_delta) | stats sum(fltd_corrected) as fltd_total sum(flrd_corrected) as flrd_total by field1 field2 Field3 | eval fls=(fltd_total-flrd_total) | eval flp=(flrd_total/fltd_total)*100
I know there are similar questions for multiple hosts but cannot wrap my head around it, thank you so much for any help!
... View more
