topic Re: Percentage calculation by timechart in Splunk Search

Percentage calculation by timechart

vikram_m — Thu, 19 Jan 2017 06:39:31 GMT

We have a request to get values from particular field based on % of bin count.

(1) index=ABC | timechart span=1d count by => By this we get count of the bins for the particular days spanned by day

(2) index=ABC| top limit=0 => By this we get the bin % of the field value but it is not spanned but for the number of days we select in time picker.

So I am looking for a search which will:
i. calculate the bin count of the values in i.e error no 400, 200, 201, 208 separately also these should be spanned based on timechart we specify and i.e if I want bin count per day basis for the month it should show that.

Thanks for the help in query in advance.

Re: Percentage calculation by timechart

renjith_nair — Thu, 19 Jan 2017 07:04:17 GMT

Does this help ?

index=your index|timechart span=10m count by error_no|addtotals row=true fieldname=_Total|foreach * [eval <<FIELD>> = '<<FIELD>>' * 100 / _Total]

Re: Percentage calculation by timechart

vikram_m — Thu, 19 Jan 2017 08:20:46 GMT

Hello Renjith, the query when I used is not giving me % value instead it is giving me the same bin count as it provides with time chart.

can you please tell me what do I need to put for and is the same field name which we want count for ?

Re: Percentage calculation by timechart

renjith_nair — Thu, 19 Jan 2017 08:28:27 GMT

you just execute the same query as a whole. Just change the indexname and if needed error_no to our error number. Don't change FIELD

Re: Percentage calculation by timechart

cmerriman — Thu, 19 Jan 2017 12:56:53 GMT

this should work:

index=ABC|bucket _time span=1d| stats count by errorNo _time|eventstats sum(count) as total by errorNo |eval percentage=(count/total)*100|chart values(percentage) by _time errorNo

however the answer that @renjith.nair seems logical as well, foreach statements work wonders.

Re: Percentage calculation by timechart

vikram_m — Mon, 23 Jan 2017 06:34:56 GMT

Thanks cmerriman , renjith.nair for your replies. One of my collegue also found exactly what client was looking for the querry looks as pasted below. But however the querries you guys mentioned above also I'll try that so we have some more querries ready incase if client comes with some thing new. 🙂

index=<Index_Name> CustomField=<Custom_Field1> CustomField=<Custom_Field2>| bucket _time span=1d | stats count by _time,<Custom_Field2> | eventstats sum(count) as total by _time | eval percent=((count/total)*100)| table _time, <Custom_Field2>, count, total, percent

Re: Percentage calculation by timechart

goelli — Tue, 26 Jun 2018 11:21:33 GMT

Helped for me - nice solution. Should be accepted answer 😉
Thank you very much.

Re: Percentage calculation by timechart

beriwalnishant — Thu, 04 Feb 2021 13:43:08 GMT

Can you explain this query...the logic etc