I have 4 basic web services (I'll add more later) which are called throughout the day. My CalculateTax web service is called the most, followed by LookupTax which has the 2nd most, followed by DeliverySchedule has 3rd most, followed by ProductAvailability has the least. So I want to make a dashboard pie chart which shows the distribution of these calls.
I tried extracting the fields for these calls but unfortunately I'm only getting 80% of the calls, I need 100% of them. So is there anyway which I could define each of the 4 searches as a variable then tie all the variables together and find the percent of each web service and put it in a pie chart?
As of now I can do ... "CalculateTaxRequest" | stats count
and get a count of the results for CalculateTax but when trying to add another web service call onto that search it will not count or it will combine the count totals of both web services and I cannot get a distribution of each call.
Try something like this
..."CalculateTaxRequest" OR "LookupTax" OR "DeliverySchedule" OR "ProductAvailability" | eval Service=case(match(_raw,"CalculateTaxRequest),"CalculateTaxRequest",match(_raw,"LookupTax"),"LookupTax", match(_raw,"DeliverySchedule"),"DeliverySchedule",1=1,"ProductAvailability") | stats count by Service
Alternative approach
"CalculateTaxRequest" | stats count | eval Service="CalculateTaxRequest" | append
[search "LookupTax" | stats count | eval Service="LookupTax"] |append
[search "DeliverySchedule" | stats count | eval Service="DeliverySchedule" ] |append
[search "ProductAvailability" | stats count | eval Service="ProductAvailability"] | table Service,count
Thanks for the reply. I followed your example and it output exactly what I was looking for.. CalculateTax was perfect but the other 3 web services counts were off by a lot. Any idea as to why that would happen?
DeliverySchedule = off by 231
ProductAvailability = off by 406
LookupTax = off by 296
My query assumes you have only one Web service name available in one event. So, you're getting lesser count OR more?
Also, try the alternative approach if that helps.
I tried the alternative approach and once again, calculatetax is working great but the others are showing 0. For the first query you posted, I'm getting less
follow the logic shown in this query:
search 1st | stats count as count1 | join [search 2nd|stats count as count2] | fields count1 count2 | transpose
let me know if it works for you.