I have two searches that use the same index and each return a numerical total, differing only in the period of time of the data they look at. How would I perform math on the search results for example adding or calculating percentages?
| makeresults
| fields - _time
| eval Total1=[search index=data NOT ID="" earliest=-1d@d latest=-0d@d | regex name!="[a-z]."| dedup id | stats count | return $count]
| eval Total2=[search index=data NOT ID="" earliest=-0d@d latest=now | regex name!="[a-z]."| dedup id | stats count | return $count]
| eval FullTotal=Total1+Total2 | eval percentage=((Total1/FullTotal)*100)
| makeresults
| fields - _time
| eval Total1=[search index=data NOT ID="" earliest=-1d@d latest=-0d@d | regex name!="[a-z]."| dedup id | stats count | return $count]
| eval Total2=[search index=data NOT ID="" earliest=-0d@d latest=now | regex name!="[a-z]."| dedup id | stats count | return $count]
| eval FullTotal=Total1+Total2 | eval percentage=((Total1/FullTotal)*100)
Thank you, that works great!
maybe, could you write the 2 queries please..
index=data NOT ID="" earliest=-1d@d latest=-0d@d | regex name!="[a-z]."| dedup id | stats count
index=data NOT ID="" earliest=-0d@d latest=now | regex name!="[a-z]."| dedup id | stats count