Hullo,
I have a set of messages as data which are various events being sent from an app. Every single message has the user_id field, and some of them have a log_info field, which indicates that the message was sent to indicate an error. I want to find out what percentage of users are encountering errors over the past X minutes.
Here's what I have so far.
source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id)]/users
I retrieve all the messages from the app initially, and then store a distinct count as 'users'. I run an eval to divide my subsearch by users. My subsearch does the same thing as the initial search, except further narrows down to only the messages with errors.
I've checked and both the searches work. In addition, if I run something like eval percent=users*50 it works fine, so I know that the datatype returned by stats dc() can be plugged into eval. Not sure what I could be doing wrong.
Thanks for any help!