The following query works for a specific time period.
eventtype=A | stats count |join type=outer [search eventtype=B | transaction host maxspan=3m | stats count as B_Count] | join type=outer [search eventtype=C | stats count as B_Count] | sort -count | eval B_Rate=(B_Count/count)*100 | fieldformat B_Rate=tostring(round(B_Rate,2))+"%" | eval C_Rate=(C_Count/count)*100 | fieldformat C_Rate=tostring(round(C_Rate,2))+"%" | table count, B_Count, B_Rate, C_Count, C_Rate
Results:
Total number of A events
Total number of B events
B divided by A%
Total number of C events
C divided by A%
How can I make this into a timechart that will provide results over time? For example, I would like the above results for everyday for the last 7 days in a single table. I can do this manually by running the above query 7 times for each day, but I would like to do this in single query.
↧