How to use "where" clause in my search to timechar...

gpanicker · ‎01-10-2015

I need to timechart the percentage of the sum of Field1 based on the value of Field2 preferably using single query

For Eg. Field2 can be either true or false, I need (sum(Field1) when Field2=true ) / sum(Field1) * 100

something like this , but this not working

index=iis sourcetype=tracelog  | fields _time, noOfDays, IsPivot| search | where (IsPivot=true) | stats sum(noOfDays) as DaysTrue |

and then timechart the percentage of DaysTrue over time

stephanefotso · ‎01-11-2015

hello! try this:

index=iis sourcetype=tracelog | table _time  noOfDays  IsPivot| search  IsPivot=true | stats sum(noOfDays) as DaysTrue by IsPivot _time| join [search  index=iis sourcetype=tracelog | table _time, noOfDays, IsPivot| search  IsPivot=true | stats sum(noOfDays) as sum2]|eval per=sum/sum2*100 | chart values(per) as percentage by _time|head 10

example:

index= _internal| table _time sourcetype  component max_size_kb |search sourcetype=splunkd| stats sum(max_size_kb) as sum by sourcetype _time |join [search index= _internal| table _time sourcetype  component max_size_kb |search sourcetype=splunkd| stats sum(max_size_kb) as sum2]|eval per=sum/sum2*100 | chart values(per) as percentage by _time|head 10

SGF

How to use "where" clause in my search to timechart the percentage of the sum of Field1 based on the value of Field2?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?