https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466132#M131265 <P>@somesoni2 I've updated the question with a search and subsearch I created.</P> Thu, 29 Aug 2019 18:06:28 GMT fullstackdev 2019-08-29T18:06:28Z https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466130#M131263 <P>Hi,</P> <P>I have been pulling my hair to get this to work, but couldn't, and any help would be very much appreciated.</P> <P>I have a set of events created for when <CODE>tickets</CODE> are created. One of field is <CODE>created</CODE> time like this: <CODE>2019-08-26T18:20:08.930Z</CODE></P> <P>I have another set of events created for when some type of query is made for <CODE>ticket</CODE>, and it includes time when the ticket was originally created.</P> <P>I would like to create a table of percentage of type of queries made from total number of orders created on the date.</P> <P>For example, ticket events are like the following:<BR /> <CODE>{"event":"ticket_created","ticket_id": "id_1", "created": "2019-08-26T18:20:08.930Z"},<BR /> {"event":"ticket_created","ticket_id": "id_2", "created": "2019-08-26T18:20:08.930Z"},<BR /> {"event":"ticket_created","ticket_id": "id_3", "created": "2019-08-26T18:20:08.930Z"},</CODE></P> <P>And query events would be like this: <BR /> <CODE>{"event":"query","query_type":"type1","ticket_id": "id_1", "ticket_created": "2019-08-26T18:20:08.930Z"},<BR /> {"event":"query","query_type":"type2","ticket_id": "id_2", "ticket_created": "2019-08-26T18:20:08.930Z"},</CODE></P> <P>And table I am trying to create (from which visualization can be created):<BR /> <CODE>Date type1 type2</CODE><BR /> <CODE>2019-08-26 33% (1 out of 3 tickets) 33% (1 out of 3 tickets)</CODE><BR /> <CODE>2019-08-27 N% M%</CODE><BR /> <CODE>2019-08-28 I% J%</CODE></P> <P>So, far I was only able to generate just total numbers (query types by converted date appended with total ticket count by converted date). I can't seem to figure out how to dynamically divide sum of types divided by total number of tickets grouped by converted date. </P> <P>The following is the query I did, and it generates a table like the following:<BR /> <CODE>sourcetype="sourcetype" event="query"<BR /> | eval ticketCreated=strptime(created_at, "%Y-%m-%dT%H:%M:%S.%QZ")<BR /> | eval ticketCreatedDate=strftime(ticketCreated, "%Y-%m-%d")<BR /> | chart count by ticketCreatedDate, query_type <BR /> | appendcols [search sourcetype="sourcetype" event="ticket_created"<BR /> | eval ticketCreated=strptime(ticket_created, "%Y-%m-%dT%H:%M:%S.%QZ")<BR /> | eval ticketCreatedDate=strftime(ticketCreated, "%Y-%m-%d")<BR /> | stats count as ticketCount by ticketCreatedDate]</CODE></P> <P><CODE>Date type1 type2 ticketCount</CODE><BR /> <CODE>2019-08-26 1 1 3</CODE></P> <P>Any help would be much, much appreciated. </P> Thu, 29 Aug 2019 16:54:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466130#M131263 fullstackdev 2019-08-29T16:54:44Z https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466131#M131264 <P>Can you share the query using which you were able to generate total numbers?</P> Thu, 29 Aug 2019 17:51:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466131#M131264 somesoni2 2019-08-29T17:51:42Z https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466132#M131265 <P>@somesoni2 I've updated the question with a search and subsearch I created.</P> Thu, 29 Aug 2019 18:06:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466132#M131265 fullstackdev 2019-08-29T18:06:28Z https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466133#M131266 <P>What you need is a foreach command.</P> <P>Try something like this (with little modifications to optimize the search</P> <PRE><CODE>sourcetype="sourcetype" event="query" | eval ticketCreatedDate=replace(created_at, "*.+)T.+","\1") | chart count by ticketCreatedDate, query_type | appendcols [search sourcetype="sourcetype" event="ticket_created" | eval ticketCreatedDate=replace(ticket_created, "*.+)T.+","\1") | stats count as ticketCount by ticketCreatedDate] | foreach * [| eval "&lt;&lt;FIELD&gt;&gt;"=if("&lt;&lt;FIELD&gt;&gt;"="ticketCount" OR "&lt;&lt;FIELD&gt;&gt;"="ticketCreatedDate" , '&lt;&lt;FIELD&gt;&gt;' , tostring(round('&lt;&lt;FIELD&gt;&gt;'*100/ticketCount))."%") ] </CODE></PRE> <P>Updates to existing query: reduced two evals to one (date is already in the format you need to extract the data part from created date)</P> <P>Foreach command: Your search result before foreach will have fields ticketCount and ticketCreatedDate and one field for each of ticket type. So, foreach looks at each field, it does nothing if field name is ticketCount or ticketCreatedDate, but for all other fields, it calculates the percentage using ticketCount field.</P> Thu, 29 Aug 2019 18:38:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466133#M131266 somesoni2 2019-08-29T18:38:35Z https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466134#M131267 <P>@somesoni2 You are a savior! Thank you so much!</P> Thu, 29 Aug 2019 18:47:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-percentage-of-values-for-a-field-based-on-total/m-p/466134#M131267 fullstackdev 2019-08-29T18:47:22Z