Hello, I am trying to do percentage on fieldsummary values , following is the query and results for the query -
index=_* OR index=* sourcetype=OPENAPI_ACCERTIFYSECUREGATEWAY Details.RawRequest.transactionType=Reload | fieldsummary maxvals=3 *Details.RawRequest* | where (values like "%Empty%" OR values like "%Present%" OR isnull(values)) | fields - is_exact, max , mean, min, numeric_count, stdev, distinct_count | sort - num(count)
field count values
postalCode 53093 [{"value":"*** (Present) ***","count":53089},{"value":"*** (Empty) ***","count":4}]
countrySubdivision 52974 [{"value":"*** (Present) ***","count":52966},{"value":"*** (Empty) ***","count":8}]
address.phone 38069 [{"value":"*** (Present) ***","count":37675},{"value":"*** (Empty) ***","count":394}]
I need the percentage on present vs empty values in values field results above , any ideas how can this be done ?
If you were to write up a regex to extract the number of present values and do an eval to calculate the percentage, I think that’s what you’re looking for.
I’m on mobile, so bear with me right now. Something like:
|rex field=values "\(Present\) \*\*\*\",\"count\":(?<present_count>/d+)"|eval perc_present=(present_count/count)*100
Might need some tweaking.