I am trying to display the time chart of percentage of users who get the error.
tag=SomeTagHere | eventstats dc(user_id) as userCount by _time | search error_severity | stats dc(user_id) as userError | timechart max(userError/userCount*100) by error_severity
It is not working, so obviously I am missing something.
Any help will be appreciated.
Try this:
tag=SomeTagHere
| timechart dc(user_id) as userCount dc(eval(case(searchmatch("error_severity"),user_id))) as errorUserCount
| eval percentage = errorUserCount / userCount * 100
Try this:
tag=SomeTagHere
| timechart dc(user_id) as userCount dc(eval(case(searchmatch("error_severity"),user_id))) as errorUserCount
| eval percentage = errorUserCount / userCount * 100
That's what I was afraid 🙂 But should work I guess.
I got it working, with exception of : | fields - users e*
I had to manually list all e0-e4 as e* didn't work
Ok, how about this:
tag=SomeTagHere
| timechart dc(user_id) as users
dc(eval(case(searchmatch("error_severity=0"),user_id))) as e0
dc(eval(case(searchmatch("error_severity=1"),user_id))) as e1
dc(eval(case(searchmatch("error_severity=2"),user_id))) as e2
dc(eval(case(searchmatch("error_severity=3"),user_id))) as e3
dc(eval(case(searchmatch("error_severity=4"),user_id))) as e4
| eval p0 = e0 / users * 100
| eval p1 = e1 / users * 100
| eval p2 = e2 / users * 100
| eval p3 = e3 / users * 100
| eval p4 = e4 / users * 100
| fields - users e*
Thanks, it's close but I need to report by error_severity, which will have different numbers. So at any given time period I need to see what percentage of users are getting any error_severity (which could be from 0-4)
Thanks!