Hello,
I want to divide AverageCount by AverageTotal. The problem is that Average count is separated by Sourcetype and Average Total is separated by a Field. For example:
index=x Sourcetype: SAT --> I calculate Average Count using this search
index=x Sourcetype:TotalTru Site:SAT --> I calculate Average Total by day using this search
Is there a way that I can use an eval statement by specifying with an if statement what site to relate the average to. I was thinking:
If sourcetype: SAT, then eval by site when site: SAT
index="x"
| bin _time span=1d
| stats count(Number) as CountEvents by _time, sourcetype
| chart avg(CountEvents) as AverageCount by sourcetype
| append
[search sourcetype=TotalTru
| eval Total=if(sourcetype==SAT,
....
Thanks!!
↧