问题描述
我们如何获得前 1000 个值的百分比以及更多字段.. 我在下面尝试过但它不起作用..
|评估百分比=回合(计数/总数*100,1000)| eventstats count(src) 作为总数 | iplocation src|统计按 src,dest,msg,Server_Group,Country,percent |排序计数 |头1000
解决方法
这个随处运行的查询应该会让你开始。
| makeresults
| eval _raw="Source of attack Country count
50.17.98.189 Ireland 9602
159.89.48.18 Canada 2200
221.151.26.232 Republic of Korea 1437
84.39.116.10 United Kingdom 1372
"
| multikv
```Above just sets up test data```
| sort - count
```Add average and total fields to the results```
| appendpipe
[ stats avg(count) as Avg,sum(count) as Total ]
```Put the Total field on top so the filldown command works```
| reverse
```Put the Total field in every event```
| filldown Total
```Calculate the percentage for each source
| eval pct=round(count*100/Total,2)
```Restore the original order```
| reverse
```Remove unneeded field```
| fields - Total
这是您的查询和我的查询
index=abc
| iplocation src_IP
| stats count by src,Country
| sort - count
| head 1000
| appendpipe
[ stats avg(count) as Avg,sum(count) as Total ]
| reverse
| filldown Total
| eval pct=round(count*100/Total,2)
| reverse
| fields - Total