Hello,
I have this query:
index=dm counter="Short Equity Loop Duration" | timechart span=1h max(Value),median(Value) by counter | rename "max(Value): Short Equity Loop Duration" AS "Max Values", "median(Value): Short Equity Loop Duration" AS "Median Values"
The total events count is 86,397 - I would like to add a percentage field that count how many events where value below 1000, more then 1000 to 2000, 2001 to 3000 etc...
can any one help?
Thanks,
Rotem
Run this for "Last 24 hours"
Your base search here with no other commands (pipes)| bucket Value span=1000 | top limit=0 Value
Run this for "Last 24 hours"
Your base search here with no other commands (pipes)| bucket Value span=1000 | top limit=0 Value
So you are throwing away your timechart then? I do not understand. Give us some sample events (or intermediary events that you know are good for you) and a mockup of desired final output (stats tab, not visualization tab).
Hi,
Thanks for the answer - here is an example event
07/06/2016 06:30:42.149 +0000
collection=DealMonitor
object=DealMonitor
counter="Short Equity Loop Duration"
instance=0
Value=6476
What I'm trying to achieve is that I have time chart (24 hours) that span 1h and show percentages of values that were between:
1-1000
1001-2000
2001-3000
3000.....
Thanks
Try this
index=dm counter="Short Equity Loop Duration"
| bin span=1h _time as time
| eventstats count(eval(Value<1000)) as cntBelow count(eval(Value>=1000 AND Value<2001)) as cntBetween count(eval(Value>2000)) as cntAbove count as Total by time counter
| eval percBelow=tostring(cntBelow/Total*100, "commas"), "%")
| eval percBetween=tostring(cntBetween/Total*100, "commas"), "%")
| eval percAbove=tostring(cntAbove/Total*100, "commas"), "%")
| chart values(cnt*) as * (values(perc*) as * over time by counter
| eval time=strftime(time, "%x %X")
| rename ....
index=dm counter="Short Equity Loop Duration"
| eval low=if(Value<1000,low+1,low)
| eval lowperc=(low/count)*100
| eval midlow=if(1000<=Value AND Value<2000,midlow+1,midlow)
| eval midlowperc=(midlow/count)*100
...
| timechart span=1h values(lowperc) AS LowPercentage, values(midlowperc) AS MidLowPercentage, ... max(Value),median(Value) by counter
| rename "max(Value): Short Equity Loop Duration" AS "Max Values", "median(Value): Short Equity Loop Duration" AS "Median Values
Add the other possibilities where I added ...