How could I add and additional (in my case total) field after the timechart is grouped by a field (e.g. httpcode)
| bucket _time bins=100 | eventstats count as total by _time | stats count first(total) as total by _time, httpcode | eval percent=(count/total)*100 | convert ctime(_time) as time | timechart span=1h first(percent) by httpcode | fillnull
I would like to see the following:
Datetime (span=1h) - 200 - 302 - 400 - 404 - 499 - 500 - total
8/10/11 12:00:00.000 AM - 0.857756 - 89.063617 - 0 - 0.142959 - 7.862759 - 0.929235
and so on.
... View more