https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488894#M136544 <P>Thanks a lot! Really helpfull</P> Tue, 24 Sep 2019 12:18:21 GMT jonydupre 2019-09-24T12:18:21Z https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488890#M136540 <P>Hi all,</P> <P>I'm pretty new to Splunk and I'm trying out different things to challange myself. I completed the fundementals 1 course and started testing on some Linux systems. I'm trying to find unhealthy systems and sort them by "problem". That part works right now, but now I want to show the percentages of the problems.</P> <PRE><CODE>index=Linux HCS "NOT OK" | table HCS host | search host="" | stats count by HCS </CODE></PRE> <P>How should I go about summing everything up and getting all percetages based on different problems?<BR /> In the course they use <CODE>top [field] limit=10</CODE> to view percentages, but in this case, that's not working.</P> <P>Can someone help me out a bit?</P> <P>Thanks!</P> Mon, 23 Sep 2019 09:42:28 GMT https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488890#M136540 jonydupre 2019-09-23T09:42:28Z https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488891#M136541 <P>Hello,</P> <P>I think your problem is that you're doing the <CODE>stats</CODE> before doing the <CODE>top</CODE>.<BR /> Try it like that</P> <PRE><CODE>index=Linux HCS "NOT OK" | table HCS host | search host="o*" host!="osas*" | top HCS limit=10 </CODE></PRE> <P>You will have the top 10 of the HCS with the count and the percentage <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Let me know if it works !</P> Mon, 23 Sep 2019 09:47:31 GMT https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488891#M136541 KailA 2019-09-23T09:47:31Z https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488892#M136542 <P>Thanks, that works perfectly. Could you maybe eleborate why <CODE>stats</CODE> should not be before <CODE>top</CODE>?<BR /> I'm trying to learn as much as possible so I would appreciate that a lot!</P> <P>Also, is there a way to be more interactive with the community for small questions like this? Something like a chatroom or something? </P> <P>Thanks!</P> Mon, 23 Sep 2019 09:54:36 GMT https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488892#M136542 jonydupre 2019-09-23T09:54:36Z https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488893#M136543 <P>Because for this case <CODE>stats count</CODE> and <CODE>top</CODE> are doing the same thing, so you have to use only one of them.<BR /> The difference is that <CODE>top</CODE> is only doing a count and the give the percentage but <CODE>stats</CODE> can do a count, sum, average, first or last value... (look at this documentation : <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Stats#Stats_function_options">https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Stats#Stats_function_options</A>)</P> <P>And for your second question, we have a Slack and you can join us : splk.it/slack</P> Mon, 23 Sep 2019 13:54:21 GMT https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488893#M136543 KailA 2019-09-23T13:54:21Z https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488894#M136544 <P>Thanks a lot! Really helpfull</P> Tue, 24 Sep 2019 12:18:21 GMT https://community.splunk.com/t5/Splunk-Search/View-percentage-with-count/m-p/488894#M136544 jonydupre 2019-09-24T12:18:21Z