Re: How to use "where" clause in my search to time...

gpanicker · ‎01-10-2015

I need to timechart the percentage of the sum of Field1 based on the value of Field2 preferably using single query

For Eg. Field2 can be either true or false, I need (sum(Field1) when Field2=true ) / sum(Field1) * 100

something like this , but this not working

index=iis sourcetype=tracelog  | fields _time, noOfDays, IsPivot| search | where (IsPivot=true) | stats sum(noOfDays) as DaysTrue |

and then timechart the percentage of DaysTrue over time

stephanefotso · ‎01-11-2015

hello! try this:

index=iis sourcetype=tracelog | table _time  noOfDays  IsPivot| search  IsPivot=true | stats sum(noOfDays) as DaysTrue by IsPivot _time| join [search  index=iis sourcetype=tracelog | table _time, noOfDays, IsPivot| search  IsPivot=true | stats sum(noOfDays) as sum2]|eval per=sum/sum2*100 | chart values(per) as percentage by _time|head 10

example:

index= _internal| table _time sourcetype  component max_size_kb |search sourcetype=splunkd| stats sum(max_size_kb) as sum by sourcetype _time |join [search index= _internal| table _time sourcetype  component max_size_kb |search sourcetype=splunkd| stats sum(max_size_kb) as sum2]|eval per=sum/sum2*100 | chart values(per) as percentage by _time|head 10

SGF

How to use "where" clause in my search to timechart the percentage of the sum of Field1 based on the value of Field2?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk