I am creating a pie chart and this should contain two pieces . One piece should contain, "How much percentage of the entire logs contain the word "abend890" and the second piece should contain the "rest of the logs that do not contain that word"
I am trying something like below, it won't work.
host="All_Error_Logs"
| eval word=case(like(_raw,"%abend890%"),"abend890",like(_raw, NOT"%abend890%"),"NOT_ABEND890")
| stats count by word
Hi @zacksoft,
It would be more faster if you could extract the field and do a percentage on that. However, this should work for your above requirement.
host="All_Error_Logs" |stats count(eval(match(_raw,"abend890"))) as abend890,count(eval(NOT match(_raw,"abend890"))) as "NOT_abend890",count as total
|eval match_perc=round((abend890/total)*100,2),not_match_perc=round((NOT_abend890/total)*100,2)
Hi @zacksoft,
It would be more faster if you could extract the field and do a percentage on that. However, this should work for your above requirement.
host="All_Error_Logs" |stats count(eval(match(_raw,"abend890"))) as abend890,count(eval(NOT match(_raw,"abend890"))) as "NOT_abend890",count as total
|eval match_perc=round((abend890/total)*100,2),not_match_perc=round((NOT_abend890/total)*100,2)
will it not be required to add asterisk(*) before and after abend890 in the eval match statement?
This function compares the regex string REGEX to the value of SUBJECT and returns a Boolean value. It returns TRUE if the REGEX can find a match against any substring of SUBJECT. You could test it with simple search
index=_internal sourcetype="splunkd*"|stats count by sourcetype|stats count(eval(match(sourcetype,"access"))) as "web" , count(eval(NOT match(sourcetype,"access"))) as "Not Web"
| eval word=if(searchmatch("\*abend890\*"), "ABEND", "NOT_ABEND") | stats count by word
Thanks for the response.
I am bit confused whether to use ("abend") or ("#abend#")
My sample logs are like this
1. fdjihfklsdfjsdhgrfgkjsdflk*abend890iofjsdfjs
2. shshffsjjfmicrosoft.abend890.erase*,hhhhfjksdzfhskjfhskdjfhsk