I have a search, something like this:
search stuff
| rex "extract cat"
| rex "extract field2"
| rex "extract field3"
| eval theValue=coalesce(field2, field3)
| stats count by cat, theValue
| table count, cat, theValue
So, the output is something like this:
count | cat | theValue
55 | BER | A
2 | BER | 302
1 | BER | 201
14 | CCG | 502
3 | CCG | null
88 | CCG | 100
Now, if theValue is A or 100 (or one of a small constant set of values), then it represents a "success" case, if theValue is null it's an error, and any other theValue is an expected "failure" case. So, for each cat value, I want to calculate a percentage of success/failure and show the error count if it exists separately.
So, I want to change the above to: (expressions in {} show the calculation and I want to show the result of that)
cat | success | errors
BER | {55/(55+2+1)} |
CCG | {88/(88+14)} | 3
How might I accomplish this?
... View more