I am looking to get percentages into a table.
I have 2 separate searches that count different events. I will like to combine the different searches into one table where the event count searches divide by the counts of the other search.
For example. If one search has a count of 50 and the other search has a count of 90. I will like a to create a table that shows 50/90= 55%.
Try something like this.
<your first search | stats count(blah) as count_first> | appendcols [search <your send search | stats count(blahblah) as count second >] | eval perc=round(count_first*100/count_second,2)
index=www VTR=100 OR VTR=50| stats count(eval(VTR=100)) as Count100, count(eval(VTR=50)) as Count50 | eval percentage=(Count100/Count50)*100
Here is a sample search:
Search 1
index=www VTR=100 | stats count(VTR)
Search 2
index=www VTR=50 | stats count(VTR)
Thanks.
Can you post a sample search? It can probably be done without using appends (which are inefficient)
Try something like this.
<your first search | stats count(blah) as count_first> | appendcols [search <your send search | stats count(blahblah) as count second >] | eval perc=round(count_first*100/count_second,2)
index=www VTR=100 OR VTR=50| stats count(eval(VTR=100)) as Count100, count(eval(VTR=50)) as Count50 | eval percentage=(Count100/Count50)*100
Thanks so much that worked like a charm
Ohh my bad. "<" was just used as placeholder for your search string. see updated answer per your example.
I tried the following:
but i am getting the following error.
Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left hand side.