Hello,
I would like to create fields (or a field with multiple values) which represents the sum for each timestamp.
For example, if I have data like this:
10/23/19
10:37:01.000 AM
urlupdateid=6, urlid=1, payer=Aetna, ReviewDate_datetype_correct=true, ReviewDate_date_correct=true, total_datetypes_correct=1, total_dates_correct=1, total_datetypes=1
10/17/19
3:18:48.000 PM
urlupdateid=5, urlid=1, payer=Aetna, RetiredDate_datetype_correct=false, RetiredDate_date_correct=false, total_datetypes_correct=0, total_dates_correct=0, total_datetypes=1
10/17/19
3:18:48.000 PM
urlupdateid=4, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=true, EffectiveDate_date_correct=false, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1
10/17/19
3:18:48.000 PM
urlupdateid=3, urlid=1, payer=Aetna, EffectiveDate_datetype_correct=false, EffectiveDate_date_correct=false, total_datetypes_correct=0, total_dates_correct=0, total_datetypes=1
10/17/19
3:18:48.000 PM
urlupdateid=2, urlid=1, payer=Aetna, ReviewDate_datetype_correct=true, ReviewDate_date_correct=false, total_datetypes_correct=1, total_dates_correct=0, total_datetypes=1
10/17/19
3:18:48.000 PM
urlupdateid=1, urlid=1, payer=Aetna, PublicationDate_datetype_correct=true, PublicationDate_date_correct=true, ReviewDate_datetype_correct=true, ReviewDate_date_correct=true, total_datetypes_correct=2, total_dates_correct=2, total_datetypes=2
The result would be two data points from sum(total_dates_correct) / sum(total_datetypes):
one where TOTAL_ACCURACY = 2/6 (from all the events with the timestamp 10/17/19 3:18:48.000 PM) and one another where TOTAL_ACCURACY = 3/7 (from all events including both timestamp 10/17/19 3:18:48.000 PM and 10/23/19 10:37:01.000 AM)
How would I do this? This query does not work because TOTAL_ACCURACY only reflects the accuracy up to the current timestamp:
| eventstats sum(total_dates_correct) as TOTAL_CORRECT | eventstats sum(total_datetypes) as TOTAL | eval TOTAL_ACCURACY = (TOTAL_CORRECT / TOTAL) * 100
Ideally, I would like to create a dashboard that shows the accuracy over the time range that is changeable in the search.
Thanks
↧