Calculating purcentage in a metric

AchrafNGZ · December 12, 2019, 1:13pm

Hello,
Sorry if its not the right section, thats cause im new

Im facing an issue with a codec expression that should allow me to calculate the purcentage of Symantec Endpoint Protection (SEP) client that have the Antivirus engine ON.

Bellow is my script

essql ""
query="SELECT COUNT(host.id) AS asset, COUNT(antivirus.avengine_onoff) AS AVon FROM "soc-asset-sep-" WHERE (antivirus.lastupdate > NOW()- INTERVAL 20 DAYS AND antivirus.avengine_onoff like 'Enabled')"
| math
{string "asset/" {filters group="host.id" ungrouped=true | essql "" query="SELECT COUNT(host.id) AS asset, COUNT(antivirus.avengine_onoff) AS AVon FROM "soc-asset-sep-" WHERE (antivirus.lastupdate > NOW()- INTERVAL 20 DAYS) and antivirus.avengine_onoff like 'Enabled'" | math "AVon"}}
| formatnumber "0%"
| metric
metricFont={font size=48 family="'Open Sans', Helvetica, Arial, sans-serif" color="#000000" align="center" lHeight=48}
labelFont={font size=14 family="'Open Sans', Helvetica, Arial, sans-serif" color="#000000" align="center"}
| render

This only show (in the preview) a list of the IDs with the status of the AVengine Enabled, how can i tranlate it to a % ?

Thanks you in advance for you help.

Kind regards
N.Achraf

corey.robertson · December 12, 2019, 4:45pm

Hi @AchrafNGZ

I think you have an issue in your expression with some unescaped strings. You have quotes around the index name "soc-asset-sep-" but that is in the larger query="" so those unescaped quotes are breaking the expression. You can escape them with a backslash like `FROM "soc-asset-sep-"

Here is a similar expression using one of our sample data sets to display a percent metric of orders that contain exactly 2 unique products.

filters
| essql
query="SELECT count(total_quantity) as cnt FROM \"kibana_sample_data_ecommerce\"
where total_unique_products = 2"
| math {string "cnt/" {filters | essql query="SELECT count(*) as cnt FROM \"kibana_sample_data_ecommerce\"" | math "cnt" }}
| formatnumber "0%"
| metric label="Percent of orders with 2 unique products"
| render

Hope that helps

AchrafNGZ · December 13, 2019, 7:30am

Hi @corey.robertson & thank you for your replay,

When tuning your expression, i have the value of the assets (when i click preview) but it give 100%, its lke its not doing any math

Thanks

Topic		Replies	Views
Canvas Multiple Math Functions ESSQL Kibana canvas	3	1785	October 20, 2020
Custom Field Doesn't Show Percentage in Metric Kibana	5	673	March 23, 2019
New metric Percent based on a total Kibana	3	1924	March 1, 2019
Kibana Metrics (take percentage of the sum of a field) Kibana kql-kibana-query-language	3	923	August 16, 2021
Elastic metric count to percentage Kibana kql-kibana-query-language	4	1361	May 25, 2023

Calculating purcentage in a metric

Related topics