index=source earliest=-2h sourcetype=e | bucket _time span=1h |stats count by code _time| delta count as difference | eval percdif=round(abs(difference/count)*100,0)|table code, count, difference, percdif|sort -percdif -count|where count>1100|fields code|head 10
I am using this query. output basically will return error codes sorted with high percentage difference (errors are increasing). I am using fields command to only output top 10 errors in table
since this query will show as stats table, how can I use this output to further pipe or do a timechart?
↧