I need to build a report, that contains approx 500 thousand events. the requirement is that the report will contain three rows - I need to count if httpStatus is ok or not, and classify each eventId in its propper position. (the requirement is that we will have minimal amount of rows!!! I cant duplicate or have more then 10 rows)
so basically the report looks like this:
|*MY SEARCH *
|stats count(request.uri) as totalCount values(uri) as uri values(timeTaken.total) as newTime perc95(timeTaken.total) as prec95 perc5(timeTaken.total) as prec5 median(timeTaken.total) as med avg(timeTaken.total) as average max(date) as maxDate
min(date) as minDate values(timeTaken.total) as time by status
|table uri totalCount prec95 prec5 med average status maxDate minDate time
now my question is-
I need to add a new line of totals, based on the other lines.
beacuse Im using functions such as avg, median etc, I dont think I can use |addtotals
and a very important note is that all of my values in the columns time and uri are not distinct. that means they can appear more then once, and then my calculations are wrong, and I cant base a following stats based on the previous one. Ive tried using list, but it has a limit of 100 values, and I have hundred of thousands.
what can I do to add another total row that will calculate all of my events ?
Ive tried adding |appendPipe it this way based on the results Ive gotten in the stats command, but of course I got wrong values (because the time result is not distinct, and the values shown in the stats are distinct)
thats my report after adding the total calculation (that didnt work)
|*MY SEARCH *
|stats count(request.uri) as totalCount values(uri) as uri values(timeTaken.total) as newTime perc95(timeTaken.total) as prec95 perc5(timeTaken.total) as prec5 median(timeTaken.total) as med avg(timeTaken.total) as average max(date) as maxDate
min(date) as minDate values(timeTaken.total) as time by status
|appendpipe [stats sum(totalCount) as totalCount values(uri) as uri values(newTime) as newTime perc95(time) as prec95 perc5(time) as prec5 median(time) as med avg(time) as average| eval status="TOTAL"]
|table uri totalCount prec95 prec5 med average status maxDate minDate time
I really hope that Ive made my question clear
thank's in advance :)
