hello
I use the search below in order to calcul a volume in %
As you can see, I first calculate events where process_cpu_used_percent>80 (before appendcols) and then I count the total number of hosts (after appendcols)
My question concern this count
What I would like to do is not to count the total number of hosts but to count only the host where process_cpu_used_percent<80
The goal is to have a more precise % because if I count the total number of hosts it might happen that some hosts are not connected on the network or might not have the UF Splunk agent installed
Could you help me please?
[| inputlookup host.csv
| table host] `CPU`
| where process_cpu_used_percent>80
| stats dc(host) as NbHostProcessSup80
| appendcols
[| inputlookup host.csv
| stats dc(host) as NbIndHost]
| eval Perc=round((NbHostProcessSup80/NbIndHost)*100,2)
| table Perc, NbIndHost
↧