Hi all
I think this will be easy for you guys but I have no clue at the moment 😉
My search is very simple:
sourcetype=access_combined | regex uri="\.(gif|jpg|jpeg|png)$"
With adding
| stats count(_raw)
I get the number of events matching my regex.
How can I get the percentage of events matching my regex to the total number of events of the base search
sourcetype=access_combined
?
Thanks,
Simon
sourcetype=access_combined | eval request_type=if(match(uri, "\.(gif|jpe?g|png)"),"image", "other") | stats count(eval(request_type="image")) as image_requests count as total | eval img_pct=image_requests/total*100
or simplified:
sourcetype=access_combined | stats count(eval(match(uri, "\.(gif|jpe?g|png)"))) as image_requests count as total | eval img_pct=image_requests/total*100
sourcetype=access_combined | eval request_type=if(match(uri, "\.(gif|jpe?g|png)"),"image", "other") | stats count(eval(request_type="image")) as image_requests count as total | eval img_pct=image_requests/total*100
or simplified:
sourcetype=access_combined | stats count(eval(match(uri, "\.(gif|jpe?g|png)"))) as image_requests count as total | eval img_pct=image_requests/total*100
Absolutely what I searched for - thanks a lot!