topic using streamstats and stats together in Splunk Search https://community.splunk.com/t5/Splunk-Search/using-streamstats-and-stats-together/m-p/64932#M16036 <P>i'd like to produce a field per event that's the running sum of some field as a percentage of the total sum of that field over the whole search.</P> <P>for example, if this were excel, my sheet would look something like this:</P> <PRE><CODE>+-----------------------+---------------+-------------+ | original field values | running total | what i want | +-----------------------+---------------+-------------+ | 1 | 1 | 20% | | 1 | 2 | 40% | | 1 | 3 | 60% | | 1 | 4 | 80% | | 1 | 5 | 100% | +-----------------------+---------------+-------------+ </CODE></PRE> <P>i see that <EM>streamstats</EM> or <EM>accum</EM> can generate my "running total" column,<BR /> but to get my "what i want" column, i need the output of <EM>stats c()</EM> or stats <EM>sum()</EM>,<BR /> which destroys the individual events.</P> <P>i feel like it might be a job for a sub-search and <EM>appendcols</EM>, but i haven't been able to work it out.</P> <P>thanks in advance,<BR /> orion</P> Sat, 04 Feb 2012 01:10:04 GMT elenzil 2012-02-04T01:10:04Z using streamstats and stats together https://community.splunk.com/t5/Splunk-Search/using-streamstats-and-stats-together/m-p/64932#M16036 <P>i'd like to produce a field per event that's the running sum of some field as a percentage of the total sum of that field over the whole search.</P> <P>for example, if this were excel, my sheet would look something like this:</P> <PRE><CODE>+-----------------------+---------------+-------------+ | original field values | running total | what i want | +-----------------------+---------------+-------------+ | 1 | 1 | 20% | | 1 | 2 | 40% | | 1 | 3 | 60% | | 1 | 4 | 80% | | 1 | 5 | 100% | +-----------------------+---------------+-------------+ </CODE></PRE> <P>i see that <EM>streamstats</EM> or <EM>accum</EM> can generate my "running total" column,<BR /> but to get my "what i want" column, i need the output of <EM>stats c()</EM> or stats <EM>sum()</EM>,<BR /> which destroys the individual events.</P> <P>i feel like it might be a job for a sub-search and <EM>appendcols</EM>, but i haven't been able to work it out.</P> <P>thanks in advance,<BR /> orion</P> Sat, 04 Feb 2012 01:10:04 GMT https://community.splunk.com/t5/Splunk-Search/using-streamstats-and-stats-together/m-p/64932#M16036 elenzil 2012-02-04T01:10:04Z Re: using streamstats and stats together https://community.splunk.com/t5/Splunk-Search/using-streamstats-and-stats-together/m-p/64933#M16037 <P>index=_internal | head 5 | eval value=1 | eventstats sum(value) as total | streamstats window=0 sum(value) as sumvalue | eval percentage=(sumvalue*100/total) | table value,sumvalue,total,percentage</P> <P>value sumvalue total percentage<BR /> 1 1 5 20<BR /> 1 2 5 40<BR /> 1 3 5 60<BR /> 1 4 5 80<BR /> 1 5 5 100</P> Sun, 11 Jan 2015 18:37:47 GMT https://community.splunk.com/t5/Splunk-Search/using-streamstats-and-stats-together/m-p/64933#M16037 mzorzi 2015-01-11T18:37:47Z