https://community.splunk.com/t5/Splunk-Search/calculate-percentage-of-multiple-columns-and-then-create-a-chart/m-p/432186#M123482 <P>Thank you so much niketnilay! This is giving me what I need. I was playing around with foreach function before but I was not doing it right. Now i know <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span> Really appreciate your help! </P> Fri, 01 Jun 2018 20:16:47 GMT mmdacutanan 2018-06-01T20:16:47Z https://community.splunk.com/t5/Splunk-Search/calculate-percentage-of-multiple-columns-and-then-create-a-chart/m-p/432184#M123480 <P>I have a query (pasted below) that counts occurrence of different strings within the same field called Variable10. I then count the occurrence of that string found in Variable10 and I give it a new name:</P> <P>index=uc sourcetype=uc_tcd DigitsDialed=12345 Code!=000000| where not like (Variable7,"%PRE%")|dedup Variable2| timechart span=15m<BR /> count(eval(like(Variable10,"%|T%"))) as T_Count,<BR /> count(eval(like(Variable10,"%|M%"))) as M_Count,<BR /> count(eval(like(Variable10,"%|E%"))) as E_Count,<BR /> count(eval(like(Variable10,"%|G%"))) as G_Count,<BR /> count(eval(like(Variable10,"%|P%"))) as P_Count,<BR /> count(eval(like(Variable10,"%|L%"))) as L_Count,<BR /> count(eval(like(Variable10,"%346%") OR like(Variable10,"%347%") )) as U_Count,<BR /> count(eval(not like(Variable10,"%346%") OR not like(Variable10,"%347%") OR not like(Variable10,"%|T%") OR not like(Variable10,"%|M%") OR not like(Variable10,"%|E%") OR not like(Variable10,"%|G%") OR<BR /> not like(Variable10,"%|P%") OR not like(Variable10,"%|L%"))) as X_Count<BR /> | addtotals col=f</P> <P>The output looks like this:</P> <P>_time T_Count M_Count E_Count G_Count P_Count L_Count U_Count X_Count Total<BR /> 2018-05-30T00:00:00.000-0700 0 0 13 19 16 27 0 287 362<BR /> 2018-05-30T00:15:00.000-0700 0 0 8 9 9 3 0 228 257<BR /> 2018-05-30T00:30:00.000-0700 0 0 6 4 17 1 0 217 245<BR /> 2018-05-30T00:45:00.000-0700 0 0 8 7 28 0 0 186 229<BR /> 2018-05-30T01:00:00.000-0700 0 0 3 6 21 0 0 171 201</P> <P>What I need now is to be able to calculate the percentage of each *_Count column so that it looks something like this:</P> <P>_time T_Count T% M_Count M% E_Count E% G_Count G% P_Count P% L_Count L% U_Count U% X_Count X% Total<BR /> 2018-05-30T00:00:00.000-0700 0 0 0 0 13 3.59 19 5.25 16 4.42 27 7.46 0 0 287 79.28 362<BR /> 2018-05-30T00:15:00.000-0700 0 0 0 0 8 3.11 9 3.5 9 3.5 3 1.17 0 0 228 88.72 257<BR /> 2018-05-30T00:30:00.000-0700 0 0 0 0 6 2.45 4 1.63 17 6.94 1 0.41 0 0 217 88.57 245<BR /> 2018-05-30T00:45:00.000-0700 0 0 0 0 8 3.49 7 3.06 28 12.23 0 0 0 0 186 81.22 229<BR /> 2018-05-30T01:00:00.000-0700 0 0 0 0 3 1.49 6 2.99 21 10.45 0 0 0 0 171 85.07 201</P> <P>And then finally I'd like to be able to do a line chart of just the percentages, not the count, on a 15min interval.</P> <P>Any feedback/suggestion will help. </P> <P>Thanks in advance!</P> Tue, 29 Sep 2020 19:47:25 GMT https://community.splunk.com/t5/Splunk-Search/calculate-percentage-of-multiple-columns-and-then-create-a-chart/m-p/432184#M123480 mmdacutanan 2020-09-29T19:47:25Z https://community.splunk.com/t5/Splunk-Search/calculate-percentage-of-multiple-columns-and-then-create-a-chart/m-p/432185#M123481 <P>@mmdacutanan, please pipe the following commands to your current search to get the required output. The <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach">foreach</A> command will perform template eval function on the required fields:</P> <PRE><CODE>&lt;YourCurrentSearchForCountAndTotal&gt; | foreach "*_Count" [eval "&lt;&lt;MATCHSTR&gt;&gt;_Perc%"=round(('&lt;&lt;FIELD&gt;&gt;'/Total)*100,1)] | table _time "*_Perc%" Total </CODE></PRE> <P>Following is a run anywhere search based on the sample data provided. The commands till from <CODE>| makeresults</CODE> till <CODE>| table _time * Total</CODE> generate dummy data as per first table in the question:</P> <PRE><CODE>| makeresults | eval data="2018-05-30T00:00:00.000-0700 0 0 13 19 16 27 0 287 362;2018-05-30T00:15:00.000-0700 0 0 8 9 9 3 0 228 257;2018-05-30T00:30:00.000-0700 0 0 6 4 17 1 0 217 245;2018-05-30T00:45:00.000-0700 0 0 8 7 28 0 0 186 229;2018-05-30T01:00:00.000-0700 0 0 3 6 21 0 0 171 201" | makemv data delim=";" | mvexpand data | makemv data delim=" " | eval _time=strptime(mvindex(data,0),"%Y-%m-%dT%H:%M:%S.%3N%z"), T_Count=mvindex(data,1), M_Count=mvindex(data,2), E_Count=mvindex(data,3), G_Count=mvindex(data,4), P_Count=mvindex(data,5), L_Count=mvindex(data,6), U_Count=mvindex(data,7), X_Count=mvindex(data,8), Total=mvindex(data,9) | fields - data | table _time * Total | foreach "*_Count" [eval "&lt;&lt;MATCHSTR&gt;&gt;_Perc%"=round(('&lt;&lt;FIELD&gt;&gt;'/Total)*100,1)] | table _time "*_Perc%" Total </CODE></PRE> Thu, 31 May 2018 05:47:08 GMT https://community.splunk.com/t5/Splunk-Search/calculate-percentage-of-multiple-columns-and-then-create-a-chart/m-p/432185#M123481 niketn 2018-05-31T05:47:08Z https://community.splunk.com/t5/Splunk-Search/calculate-percentage-of-multiple-columns-and-then-create-a-chart/m-p/432186#M123482 <P>Thank you so much niketnilay! This is giving me what I need. I was playing around with foreach function before but I was not doing it right. Now i know <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span> Really appreciate your help! </P> Fri, 01 Jun 2018 20:16:47 GMT https://community.splunk.com/t5/Splunk-Search/calculate-percentage-of-multiple-columns-and-then-create-a-chart/m-p/432186#M123482 mmdacutanan 2018-06-01T20:16:47Z https://community.splunk.com/t5/Splunk-Search/calculate-percentage-of-multiple-columns-and-then-create-a-chart/m-p/432187#M123483 <P>I am glad you got it to work! foreach takes some time to get to specially if you code foreach differently in your day to day code <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 01 Jun 2018 20:27:23 GMT https://community.splunk.com/t5/Splunk-Search/calculate-percentage-of-multiple-columns-and-then-create-a-chart/m-p/432187#M123483 niketn 2018-06-01T20:27:23Z