我们如何获得前 1000 个值的百分比以及更多字段.. 我在下面尝试过,但它不起作用..
|eval 百分比=round(count/total*100,1000) | eventstats count(src) 总计 | iplocation src| 按 src 、 dest 、 msg 、 Server_Group、Country、percent 统计的统计数据 | 排序计数 | 头 1000
问问题
365 次
1 回答
0
这个随处运行的查询应该可以帮助您入门。
| makeresults
| eval _raw="Source of attack Country count
50.17.98.189 Ireland 9602
159.89.48.18 Canada 2200
221.151.26.232 Republic of Korea 1437
84.39.116.10 United Kingdom 1372
"
| multikv
```Above just sets up test data```
| sort - count
```Add average and total fields to the results```
| appendpipe
[ stats avg(count) as Avg, sum(count) as Total ]
```Put the Total field on top so the filldown command works```
| reverse
```Put the Total field in every event```
| filldown Total
```Calculate the percentage for each source
| eval pct=round(count*100/Total,2)
```Restore the original order```
| reverse
```Remove unneeded field```
| fields - Total
这是您的查询与我的结合
index=abc
| iplocation src_IP
| stats count by src ,Country
| sort - count
| head 1000
| appendpipe
[ stats avg(count) as Avg, sum(count) as Total ]
| reverse
| filldown Total
| eval pct=round(count*100/Total,2)
| reverse
| fields - Total
于 2021-02-01T14:52:33.283 回答