Hey Folks,
Any suggestions on how to report on the total percent of my events that are duplicates?
I can find my dupes via;
... | eval dupfield=_raw | transaction dupfield maxspan=1s keepevicted=true
But how do I get my dupfield / by my totalevent count? An appended search then an eval? I was thinking there is a better way..perhaps with eventstats first and then piping to transaction...
Thx!
if i understand what you're going for, see if this works.
...| eval dupfield=_raw|stats count by dupfield|eval dupevents=if(count>1,count,0)|stats sum(count) as total sum(dupevents) as dupevents|eval percDup=dupevents/total*100
if i understand what you're going for, see if this works.
...| eval dupfield=_raw|stats count by dupfield|eval dupevents=if(count>1,count,0)|stats sum(count) as total sum(dupevents) as dupevents|eval percDup=dupevents/total*100