Hello, all.
I'm looking for the best method to tally a particular field by value and source and then run division with that tally.
index=abc sourcetype=csv
| eval failpass=if(a!=b,0,1)
| stats count by source, failpass | sort source
Given the above, I'd like to total the failpass=0 by source and the failpass=1 by source, then run division on the total failpass by source.
So if source abc.csv has 20 total events and 13 of those are failpass=0; and 7 of them are failpass=1, and def.csv has 10 events with failpass=0 and 10 events with failpass=1, then I'd show
Source 0 1 div1 div2
abc.csv 13 7 .65 .35
def.csv 10 10 .50 .50
I'm curious if there's a good way to pull that off.
TIA,
Reiger
↧