Using a simple example: count the number of events for each host name
... | timechart count BY host
> ... | timechart count BY host
>
> This search produces this results table:
>
> _time host1 host2 host3
>
> 2018-07-05 1038 27 7
> 2018-07-06 4981 111 35
> 2018-07-07 5123 99 45
> 2018-07-08 5016 112 22
What I want is to add a column to show the total events for that day and the percentage of each http status code.
I tried
... | timechart count BY host
| eval total= host1 + host2 + host3
| eval host1_percent = host1 / total
| eval host2_percent = host2 / total
| eval host3_percent = host3 / total
| table _time, host1_percent, host2_percent, host3_percent
This works most of the time, but I found out if for certain day, a host was offline (no record for a particular host), then the search doesn't work (return blank results), I have to remove that particular host from the "total = host1 + host2 + host3" to get it to work.
So my question is: is there a way to get the total number of record for for every day (row) without having to add them together, e.g. replace the "total = host1 + host2 + host3" with a count or sum, I tried couple of thing, none of them work.
It would help to know what you've tried so far so we don't suggest the same things.
Have you tried addtotals?
| timechart count by host
| addtotals row=true fieldname=total host*