We have a request to get values from particular field based on % of bin count.
(1) index=ABC | timechart span=1d count by
=> By this we get count of the bins for the particular days spanned by day
(2) index=ABC| top limit=0
=> By this we get the bin % of the field value but it is not spanned but for the number of days we select in time picker.
So I am looking for a search which will:
i. calculate the bin count of the values in i.e error no 400, 200, 201, 208 separately also these should be spanned based on timechart we specify and i.e if I want bin count per day basis for the month it should show that.
Thanks for the help in query in advance.
Can you explain this query...the logic etc
Thanks cmerriman , renjith.nair for your replies. One of my collegue also found exactly what client was looking for the querry looks as pasted below. But however the querries you guys mentioned above also I'll try that so we have some more querries ready incase if client comes with some thing new. 🙂
index=<Index_Name> CustomField=<Custom_Field1> CustomField=<Custom_Field2>| bucket _time span=1d | stats count by _time,<Custom_Field2> | eventstats sum(count) as total by _time | eval percent=((count/total)*100)| table _time, <Custom_Field2>, count, total, percent
this should work:
index=ABC|bucket _time span=1d| stats count by errorNo _time|eventstats sum(count) as total by errorNo |eval percentage=(count/total)*100|chart values(percentage) by _time errorNo
however the answer that @renjith.nair seems logical as well, foreach
statements work wonders.
Does this help ?
index=your index|timechart span=10m count by error_no|addtotals row=true fieldname=_Total|foreach * [eval <<FIELD>> = '<<FIELD>>' * 100 / _Total]
Helped for me - nice solution. Should be accepted answer 😉
Thank you very much.
Hello Renjith, the query when I used is not giving me % value instead it is giving me the same bin count as it provides with time chart.
can you please tell me what do I need to put for and is the same field name which we want count for ?
you just execute the same query as a whole. Just change the indexname and if needed error_no to our error number. Don't change FIELD