Calculating purcentage in a metric

AchrafNGZ · December 12, 2019, 1:13pm

Hello,
Sorry if its not the right section, thats cause im new

Im facing an issue with a codec expression that should allow me to calculate the purcentage of Symantec Endpoint Protection (SEP) client that have the Antivirus engine ON.

Bellow is my script

essql ""
query="SELECT COUNT(host.id) AS asset, COUNT(antivirus.avengine_onoff) AS AVon FROM "soc-asset-sep-" WHERE (antivirus.lastupdate > NOW()- INTERVAL 20 DAYS AND antivirus.avengine_onoff like 'Enabled')"
| math
{string "asset/" {filters group="host.id" ungrouped=true | essql "" query="SELECT COUNT(host.id) AS asset, COUNT(antivirus.avengine_onoff) AS AVon FROM "soc-asset-sep-" WHERE (antivirus.lastupdate > NOW()- INTERVAL 20 DAYS) and antivirus.avengine_onoff like 'Enabled'" | math "AVon"}}
| formatnumber "0%"
| metric
metricFont={font size=48 family="'Open Sans', Helvetica, Arial, sans-serif" color="#000000" align="center" lHeight=48}
labelFont={font size=14 family="'Open Sans', Helvetica, Arial, sans-serif" color="#000000" align="center"}
| render

This only show (in the preview) a list of the IDs with the status of the AVengine Enabled, how can i tranlate it to a % ?

Thanks you in advance for you help.

Kind regards
N.Achraf

corey.robertson · December 12, 2019, 4:45pm

Hi @AchrafNGZ

I think you have an issue in your expression with some unescaped strings. You have quotes around the index name "soc-asset-sep-" but that is in the larger query="" so those unescaped quotes are breaking the expression. You can escape them with a backslash like `FROM "soc-asset-sep-"

Here is a similar expression using one of our sample data sets to display a percent metric of orders that contain exactly 2 unique products.

filters
| essql
query="SELECT count(total_quantity) as cnt FROM \"kibana_sample_data_ecommerce\"
where total_unique_products = 2"
| math {string "cnt/" {filters | essql query="SELECT count(*) as cnt FROM \"kibana_sample_data_ecommerce\"" | math "cnt" }}
| formatnumber "0%"
| metric label="Percent of orders with 2 unique products"
| render

Hope that helps

AchrafNGZ · December 13, 2019, 7:30am

Hi @corey.robertson & thank you for your replay,

When tuning your expression, i have the value of the assets (when i click preview) but it give 100%, its lke its not doing any math

Thanks

system · January 10, 2020, 7:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SUM for colum1 and filter Kibana canvas	10	1859	April 27, 2021
Query using ESSQL Conditional (CASE) Function missing some records Kibana canvas	2	865	August 19, 2021
Canvas Issue - math Kibana canvas	7	1022	February 11, 2021
Canvas sql throwing syntax error Kibana canvas	3	870	August 12, 2020
Kibana visualize metric I'm not able to subtract with _value Kibana	4	786	May 4, 2021

Calculating purcentage in a metric

Related topics