I've been going around in circles on this all day and at this point figured I would post my question here:
sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT | dedup registrar | stats count(registrar) as numviewed by description,registry
This search produces a small table that looks kinda like this:
Description Registry numviewed
Billing Invoice dotblah 3
Daily Auto Renewals dotblah 3
Billing Text dotblah 14
Annual Report dotblah 10
What I'm trying to do is create a percentage based on the numviewed values and a number displayed in a field. The field is:
actualcount 424
So I want to basically have a percent column showing the percent. So 3 out of 424 would be how many percent?
Description Registry numviewed actualcount percent
Billing Invoice dotblah 3 424
Daily Auto Renewals dotblah 3 424
Billing Text dotblah 14 424
Annual Report dotblah 10 424
I tried using eval at the end of this but it didn't do anything and showed no results:
sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT | search description="*" | dedup registrar | stats count(registrar) as numviewed by description,registry | eval percent=(numviewed/registrycount)*100
How can i get the percentage I want?
First make sure you have the count
value in a field, so you can include it in eval
's calculations. By using eventstats
you can do this without losing information that is needed later on in the search pipeline. Then do the eval
stuff inline in your stats
command. Like this:
sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT search description="*" | dedup registrar | eventstats count by description,registry | stats sum(count) as numviewed,sum(eval(100*numviewed/actualcount)) as percent by description,registry
actualcount is a static value that is currently in a lookup file
Where does actualcount come from - can you calculate it - if so how ? post the search that gives you the value of actualcount