Hi,
I use the search below in order to count event number.
I want to do the same calculation, but in percent
eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
| stats dc(Degradation_Time) as Total by File_Name
| sort -Total limit=10
Could you help me please
My result is the total of degradation time by File_Name. The total is a integer number
Now I want the same in percent
I have done this but I have not the exactly the same result
The first field name in the integer panel is in second position in the percent panel :
eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
| stats count by File_Name
| eventstats sum(count) as Total
| eval Percent=round((count/Total)*100,1). " %"
| table File_Name Percent
| sort -Percent limit=10
My result is the total of degradation time by File_Name. The total is a integer number
Now I want the same in percent
I have done this but I have not the exactly the same result
The first field name in the integer panel is in second position in the percent panel :
eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
| stats count by File_Name
| eventstats sum(count) as Total
| eval Percent=round((count/Total)*100,1). " %"
| table File_Name Percent
| sort -Percent limit=10
What do you mean by "the same calculation in percent" ?
What is your total ? The count of distinct Degradation_Time from all files ? The count of Degradation_Time values from the total number of Degradation_Time ?
Regards ,
it was just an issue in my stats count I close the topic
Hi, you can try top command(by default it will give 10 results, so I haven't used limit):
eventtype="Start" AND (NOT host=E* AND NOT host=I*)
2. | eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
3. | eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
4. | top Degradation_Time as Total by File_Name
If you want to consider distinct count as well, try this:
eventtype="Start" AND (NOT host=E* AND NOT host=I*)
2. | eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
3. | eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
4. | stats dc(Degradation_Time) as Total by File_Name
5. | top Total by File_Name
it s not want i want
In my query I count the number of degradation time by file name
I want the same thing in percent.....
Assuming that you are looking for sum(Degradation_Time) by file and then percentage, not count. See my answer below:
eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
| stats sum(Degradation_Time) as Degradation_Time_By_File by File_Name
| appendcols
[search eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
| stats sum(Degradation_Time) as Total_Degradation_Time]
| filldown Total_Degradation_Time
| eval Percent_Degradation_Time_By_File =(Degradation_Time_By_File*100)/Total_Degradation_Time
Hope it works