I wish to count the number of events and then use that value to calculate something else.
I tried something like this:
index=dotcom sourcetype=dotcom_access_log status != 2* pid=www.abc.com |
eventstats count as todayTotal |stats count(status) as todayValue by status | eval percent = (todayValue/todayTotal)*100
But todayTotal comes as empty when I use it in eval (though the bold line successfully gets the value of todayTotal).
Please suggest how can i use the value of "total number of events" (todayTotal in the case above).
Like this:
index=dotcom sourcetype=dotcom_access_log status != 2* pid=www.abc.com|stats count(status) as todayValue by status | eventstats sum(todayValue) AS todayTotal | eval percent = (todayValue/todayTotal)*100
Move your eventstats after your stats command and change it to | eventstats sum(todayValue) as todayTotal
Does this give you what you're looking for?
index=dotcom sourcetype=dotcom_access_log pid=www.abc.com | stats count as total count(eval(status!="2*")) as statuscount | eval percent=statuscount/total*100
If you want the percentage for all status > 200 then try this
index=dotcom sourcetype=dotcom_access_log pid=www.abc.com status>299 | stats count by status | stats sum(count) as value by status | eventstats sum(value) as total | eval percent=value/total*100
I think the search is losing the field todayTotal when it do the stats command by status. I think the search should do the stats by status, todayTotal which will also keep the todayTotal field in the results so you can calculate the percent field.
...|stats count(status) as todayValue by status,todayTotal | eval percent = (todayValue/todayTotal)*100