我为子搜索中的模型选择orderids,然后为每个订单ID选择最常见的材料,因此我得到了每个材料的列表以及它作为订单一部分的时间。我想以所有订单的百分比显示最常见的材料。所以我需要每个材料被发现的频率,然后除以订单总数。
sourcetype=file1 [subsearch... ->returns Orders] |
在这里我需要选择订单总额,如:
stats dc(Orders) as totalamount by Orders|
stats dc(Orders) as anz by Material|
eval percentage= anz/totalamount|
sort by percentage desc
如何执行总搜索量?
我假设从您的基本搜索中,您无论如何都会得到订单和材料,您需要使用eventstats来获取总计数。以下代码应工作
index=foo sourcetype=file1 [subsearch... ->returns Orders]
| stats count(Orders) as order_material_count by Material
| eventstats sum(order_material_count ) as totalCount
| eval percentage=(order_material_count*100)/totalamount
| fields Mateira, order_material_count , percentage
| sort - percentage
尝试streamstats命令。
index=foo sourcetype=file1 [subsearch... ->returns Orders]
| streamstats count(Orders) as totalamount
| stats count(Orders) as anz by Material
| eval percentage=(anz*100)/totalamount
| sort - percentage