加入不会通过子搜索返回数据,我尝试了其他答案中的许多选项,但没有任何结果。
目标是检查有多少部门正在使用某些软件的最新版本,与所有旧版本相比较。
我的搜索查询 索引=abc版本!=“2.0” |去重版本thumb_print |按部门统计计数(thumb_print)为 OLD_RUNS |加入部门 [搜索索引=abc version="2.0" |去重版本thumb_print |按部门统计计数(thumb_print)为 NEW_RUNS ] |评估总计=OLD_RUNS + NEW_RUNS|填充空值=0 | eval perc=((NEW_RUNS/总数)*100) |评估部门 = substr(部门, 1, 50) |评估 perc=round(perc, 2) |表部门 OLD_RUNS NEW_RUNS perc |排序-perc
总体而言,此搜索在 1 周时间内预计将返回超过 10 万个事件。
加盟费用非常昂贵。我建议您只使用
BY| chart| makeresults count=10 ```<- start mock data```
| streamstats count
| eval
version=if(count%2=0,"2.0","1.7"),
thumb_print=random()%100,
department=case(
count%3==0,"a",
count%3==1,"b",
count%3==2,"c"
)
```end mock data```
| dedup version thumb_print
```get the count by department and version
use chart to get vars split by version
since version will be variable names,
rename it to suit your variable names```
| eval version=if(version=="2.0","NEW_RUNS","OLD_RUNS")
| chart
count(thumb_print) AS runs
BY
department
version
```from here its basically your code```
| eval
total=OLD_RUNS+NEW_RUNS,
perc=round(((NEW_RUNS/total)*100),2),
department=substr(department,1,50)
| fields department OLD_RUNS NEW_RUNS perc
| table department OLD_RUNS NEW_RUNS perc
| sort -perc