I have a table that shows the count of messages in my log. I want to be able to display the percentage of these using one entry as the number I care about. First, here is the search I am using:
<search> | eval msg=<something> | stats count by msg | sort - count
This gives something like this:
msg, count
NumInterestingEntries, 10000
LableA, 8888
LableB, 6003
LableC, 4987
I would like to have a new column with the percentage based on 'out of the NumInterstingEntries' value. like this:
msg, count
NumInterestingEntries, 10000, 100%
LableA, 8888, 88.88%
LableB, 6003, 60.03%
LableC, 4987, 49.87%
How would I achieve this? I tried adding
| eventstats count as "totalCount" | eventstats count as "choiceCount" by msg | eval percent=(choiceCount/totalCount)*100 | stats values(percent) by msg | sort - values(percent)
but this adds the column up to make totalCount. I cant seem to select the cell I want to use instead of totalCount
Thanks
... View more