Solved: How to generate a search that will compare Log_Lev...

mercur · ‎12-16-2016

Hi

I want to do a search of something i would think would be very simple but i cant get it to work.

I want to compare the Log_Level Events that i have to the total events for that day?

So for example WARN/TotalEvents in 24 Hours.

Hope someone can help

somesoni2 · ‎12-16-2016

Try something like this.

your base search Log_Level=* | stats count as TotalEvents count(eval(Log_Level="WARN")) as WARN

OR

your base search Log_Level=* | eval WARN=if(Log_Level="WARN",1,0) |  stats count as TotalEvents sum(WARN) as WARN

somesoni2 · ‎12-16-2016

Try something like this.

your base search Log_Level=* | stats count as TotalEvents count(eval(Log_Level="WARN")) as WARN

OR

your base search Log_Level=* | eval WARN=if(Log_Level="WARN",1,0) |  stats count as TotalEvents sum(WARN) as WARN

mercur · ‎12-16-2016

That worked flawlessly i think i made it to complicated.

To get the Percentage i added eval percentage=(WARN/TotalEvents) | table percentage is this the right way to do it ?

somesoni2 · ‎12-16-2016

Yes.. I would use something like this for more human readable format of percentage

...| eval percentage=round(WARN*100/TotalEvents,2))

How to generate a search that will compare Log_Level events to the total number of events?