I have a dashboard and want to add a single value panel that shows the number of events with a value for "time_taken" > 10000ms, as a percentage of a total number of events in the selected time period.
In my case, the events being searched are just basic events that have a field "time_taken" with numeric values.
What I tried to do is below, based on an example I found:
sourcetype=iis
cs_uri_stem="/SeverA*"
| eval myfield=case(time_taken > 10000, "Greater", time_taken <= 10000, "LessThan")
| timechart count by myfield
| eval total=Greater+LessThan
| eval PercentageGreater=Greater*100/total
| fields _time PercentageGreater
This seems to give the data I need. However, I don't want to slice it by time. Even if I remove _time from the "fields" expression, it still displays a chart with one row per a time 10 seconds. I just want the percentage from the total time_taken across whatever time period I've selected on my dashboard. In other words, I just want a single value.
I'm guessing using "timechart" is not what I want, but I'm not sure how else to approach this. I tried just "chart" when testing the query, but then there is nothing shown on the Statistics tab in the results.
Ultimately, I want to add it as a single value in a dashboard, something like the following, so once I get the correct basic query, I think I need to end it with something to grab that final value and display. So, if Time Period selection in the dashboard is one hour, there are 100 events, and if 10 of those have time_taken > 10000, I just want to display the single value "10%".Response Time - Percentage > 10s
VALID QUERY HERE $TimePeriod.earliest$ $TimePeriod.latest$ 10m delay |
↧