Solved: Re: How do I get the percentage of events in a log...

cj039165 · ‎07-22-2016

Hello -

I have a log file were ALL responses contain [Thread-645990] (note, the number changes for each response). In some of the responses we get a AAA*Y**42 buried in the data. I want to get the percentage of AAA*Y**42 in comparison to all the [Thread-######].

Thanks in advance for the help.

somesoni2 · ‎07-22-2016

Try like this (assuming ThreadId is extracted)

your base search | eval AAAY42=if(match(_raw,"AAA*Y*42"),1,0) | stats count as Total sum(AAAY42) as AAAY42 by ThreadId | eval Perc=round(AAAY42*100/Total,2)

Update

Per below comment

  your base search | eval AAAY42=if(match(_raw,"AAA*Y*42"),1,0) | stats count as Total sum(AAAY42) as AAAY42  | eval Percentage_AAAY42=round(AAAY42*100/Total,2) | table Total Percentage_AAAY42

View solution in original post

somesoni2 · ‎07-22-2016

Try like this (assuming ThreadId is extracted)

your base search | eval AAAY42=if(match(_raw,"AAA*Y*42"),1,0) | stats count as Total sum(AAAY42) as AAAY42 by ThreadId | eval Perc=round(AAAY42*100/Total,2)

Update

Per below comment

  your base search | eval AAAY42=if(match(_raw,"AAA*Y*42"),1,0) | stats count as Total sum(AAAY42) as AAAY42  | eval Percentage_AAAY42=round(AAAY42*100/Total,2) | table Total Percentage_AAAY42

cj039165 · ‎07-25-2016

Think I have it. I changed (_raw,"AAA*Y*42"),1,0) to (_raw, "AAA*Y**42*"). Thanks

ppablo · ‎07-27-2016

Glad you found a solution with help from @somesoni2. Please don't forget to resolve the post (and all your other questions) by clicking "Accept" directly below the answer. Also, be sure to upvote any answers and/or comments that were especially helpful.

ppablo · ‎07-27-2016

Ah sorry, I just saw your most recent comment in the thread above. I hope you get it sorted it out soon! but once you do, then follow up with my comments above. Thanks!

cj039165 · ‎07-22-2016

Hello -

This is getting me closer. This search shows 4 columns, thread, total, AAA42 and Perc. I trying to get two counts. First is the total number for 'thread-###' the second is the percentage of that count that are AAA*Y**42.

So one column would be Total number of responses (this is the thread count) the second column would be % of AAA_42.

Sorry if I was confusing in my question. Thanks for the help.

cj039165 · ‎07-25-2016

Good morning.

Interesting results in search. I ran your updated search, it shows 0% for AAA count. If I remove the 42 (AAA*Y*) I get the 35% count I would expect. Not sure why the 42 is causing an issue. AAA*Y* is good, give me a count for all the AAA responses. I'm wondering how to create a more granular search? How would I look for AAA*Y*72*C or AAA*Y*71*R. Thanks again.

somesoni2 · ‎07-22-2016

Try the updated answer.

cj039165 · ‎07-26-2016

Hello -

I noticed a problem with the search results. Turns out the 'thread-id' value can show up on different servers. So I need to calculate response time for the same files on three different servers.

Meaning look in

/hdx2/was70-32/AppServer/profiles/AppSrv01/logs/PRD2_PY0/TNBC_Receive.log

and

/hdx2/was70-32/AppServer/profiles/AppSrv01/logs/PRD2_PY0/TNBC_Send.log

on three different servers. However match the thread-ids on a server by server bases.

Thread-id 111111 on server WASAPP07 needs to be calculated separate from Thread-id 111111 on WASAPP08.

Here is the search I'm using now:

index=hdx_payer source="/hdx2/was70-32/AppServer/profiles/AppSrv01/logs/PRD2_PY0/TNBC_Receive.log" OR source="/hdx2/was70-32/AppServer/profiles/AppSrv01/logs/PRD2_PY0/TNBC_Send.log" | eval Time=_time | stats values(Time) as Time by thread_id | where mvcount(Time)=2 | eval response_time=tonumber(mvindex(Time,1))-tonumber(mvindex(Time,0)) | convert ctime(Time)

How do I get the percentage of events in a logging file

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...