Dear Excepts ,
Need your help to calculate percentage for daily stats.
I am using below query to calculate daily stats and their totals. Need your help come with percentage calculation for each uri_path as shown in "Excepted Results". your help would be much appreciated.
current Query :
index=test sourcetype=123:abc:abc tag::source=AP
uri_path="/url/url1" OR uri_path="/url/url2"
OR uri_path="/url/url3" OR uri_path="/url/url4"
| timechart span=1d count by "uri_path" limit=0 | addtotals
Current Results :
_time /url/url1 /url/url2 /url/url3 /url/url4 Total
2019-08-29T00:00:00.000+0000 100 100 100 100 400
2019-08-30T00:00:00.000+0000 100 100 100 100 400
2019-08-31T00:00:00.000+0000 100 100 100 100 400
2019-09-01T00:00:00.000+0000 100 100 100 100 400
2019-09-02T00:00:00.000+0000 100 100 100 100 400
Excepted Results :
_time /url/url1 /url/url2 /url/url3 /url/url4 Total
2019-08-29T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-08-29 25% 25% 25% 25% 25%
2019-08-30T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-08-30 25% 25% 25% 25% 25%
2019-08-31T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-08-31 25% 25% 25% 25% 25%
2019-09-01T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-09-01 25% 25% 25% 25% 25%
2019-09-02T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-09-02 25% 25% 25% 25% 25%
Any other suggestions from anyone else ?
If your URLs are in a predictable format, then you could do something like this:
your search
| foreach '/url*' [ |eval pct_<<FIELD>> = round(100*<<FIELD>>/Total,0)]
@DalJeanis , URLs are not in predictable format. Is it possible to use uri_path in the query to come-up with expected results ?
I tried below query , it didnt work.
index=test sourcetype=123:abc:abc tag::source=AP
uri_path="/url/url1" OR uri_path="/url/url2"
OR uri_path="/url/url3" OR uri_path="/url/url4"
| timechart span=1d count by "uri_path" limit=0 | addtotals
| foreach 'uri_path' [ |eval pct_uri_path = round(100*pct_uri_path/Total,0)]
For testing purpose , I also tried below query. it didnt work. I am getting same output which was printed in my previous post as "Current Results"
index=test sourcetype=123:abc:abc tag::source=AP
uri_path="/url/url1" OR uri_path="/url/url2"
OR uri_path="/url/url3" OR uri_path="/url/url4"
| timechart span=1d count by "uri_path" limit=0 | addtotals
| foreach '/url*' [ |eval pct_url = round(100*pct_url/Total,0)]
@DalJeanis , Please advice if you have any feedback for my previous post.