I have a table that shows the count of messages in my log. I want to be able to display the percentage of these using one entry as the number I care about. First, here is the search I am using:
<search> | eval msg=<something> | stats count by msg | sort - count
This gives something like this:
I would like to have a new column with the percentage based on 'out of the NumInterstingEntries' value. like this:
How would I achieve this? I tried adding
| eventstats count as "totalCount" | eventstats count as "choiceCount" by msg | eval percent=(choiceCount/totalCount)*100 | stats values(percent) by msg | sort - values(percent)
but this adds the column up to make totalCount. I cant seem to select the cell I want to use instead of totalCount
Thanks
what about something like this?
<search> | eval msg=<something> | stats count by msg | eventstats max(count) as max | eval percent = tostring((count/max)*100)."%" | fields - max
what about something like this?
<search> | eval msg=<something> | stats count by msg | eventstats max(count) as max | eval percent = tostring((count/max)*100)."%" | fields - max
Perfect, thanks 🙂 I just added the following on the end to make it sorted
| sort - count