This is my search so far.
sourcetype="spam" |eventstats count as total|search block_code="*" |eventstats count as blocked|eval blk_prcnt=round((blocked/total)*100,2)|timechart span=1m values(blk_prcnt)
It seems to print the total percentage over the last 15 minutes that I am running it on.
I thought eventstats keeps all data, but it seems like something is getting lost?
Goal is a table or chart of total, blocked, and blk_prcnt for every minute.
Was starting slow and looking to get blk_prcnt every minute, for a 15 minute interval.
TIA,
-ALF
... View more