https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-to-find-percentage-for-field-values/m-p/476761#M133818 <P>I have values for a field named action, block, passed, and alerted. How would I go about creating a search to looks for the percentage of blocked to passed/alerted events?</P> <P>I have the basic search of<BR /> index=foo<BR /> | stats count by src, action<BR /> | stats list(action) as Action, list(count) as count, sum(count) as Total by src</P> <P>and was thinking eval could be used in some way</P> <P>Thx</P> Wed, 08 Jan 2020 17:01:53 GMT jwalzerpitt 2020-01-08T17:01:53Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-to-find-percentage-for-field-values/m-p/476761#M133818 <P>I have values for a field named action, block, passed, and alerted. How would I go about creating a search to looks for the percentage of blocked to passed/alerted events?</P> <P>I have the basic search of<BR /> index=foo<BR /> | stats count by src, action<BR /> | stats list(action) as Action, list(count) as count, sum(count) as Total by src</P> <P>and was thinking eval could be used in some way</P> <P>Thx</P> Wed, 08 Jan 2020 17:01:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-to-find-percentage-for-field-values/m-p/476761#M133818 jwalzerpitt 2020-01-08T17:01:53Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-to-find-percentage-for-field-values/m-p/476762#M133819 <P>You're definitely on the right track - I like doing something like this for readability, as you clearly create a variable for pass and fail, and set it to a bool. Then, you can just sum them by whatever you want (I did src in this case), then do a simple divide eval command to get the percent.</P> <PRE><CODE>index=foo | stats count by src, action |eval pass=if(action="pass", 1, 0) |eval fail=if(action="fail", 1, 0) |stats sum(pass) as numPass, sum(fail) as numFail by src |eval failPerc=numFail/(numFail + numPass) * 100 </CODE></PRE> <P>Hope this helps!</P> Wed, 08 Jan 2020 18:12:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-to-find-percentage-for-field-values/m-p/476762#M133819 aberkow 2020-01-08T18:12:57Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-to-find-percentage-for-field-values/m-p/476763#M133820 <P>Thx for the search. The issue that I'm having with the search you suggested is that the count of each action is reduced to a sum of the count which is just '1' and not the total count,. For example, I have IPs that are into the hundreds for allows, yet when I run the search they're reduced to one pass/fail.</P> <P>I changed the last line to <CODE>| stats count(pass) as numPass, count(fail) as numFail by src</CODE> and the count was more than one, but way less then the true count. It's like the eval isn't being applied to every event.</P> <P>Thx</P> Fri, 10 Jan 2020 14:32:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-to-find-percentage-for-field-values/m-p/476763#M133820 jwalzerpitt 2020-01-10T14:32:21Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-to-find-percentage-for-field-values/m-p/476764#M133821 <P>Sample query:</P> <PRE><CODE>| makeresults count=1000 | eval src="A.A.A.A#B.B.B.B#C.C.C.C#D.D.D.D" | eval action="pass#fail" | eval src=mvindex(split(src,"#"),random() % 3) | eval action=mvindex(split(action,"#"),random() % 2) | chart limit=0 count by src action | eval failPerc=round(fail / ( fail + pass ) * 100,2) </CODE></PRE> <P>recommend:</P> <PRE><CODE>index=foo action=fail OR action=pass | chart limit=0 useother=f usenull=f count by src action | eval failPerc=round(fail / ( fail + pass ) * 100,2) </CODE></PRE> Fri, 10 Jan 2020 19:43:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-to-find-percentage-for-field-values/m-p/476764#M133821 to4kawa 2020-01-10T19:43:44Z