https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316494#M163607 <P>Did the same. Thanks for the help.</P> Tue, 16 Jan 2018 15:04:02 GMT shiv1593 2018-01-16T15:04:02Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316486#M163599 <P>I am fairly new to Splunk and I have a Two fold question. I am running a query to find the top issues reported in the last three months. Below is my query:</P> <P>host="service_desk_tickets" Region=AMER "Sub Category"=* extracted_Source=* Created="<EM>" Summary="</EM>" Number="*"<BR /> | stats count(Number) AS "Number Of Tickets" BY extracted_Source Summary<BR /> | chart sum("Number Of Tickets") OVER Summary BY extracted_Source<BR /> | rename Summary AS "Top Issues Reported By Clients"<BR /> | addtotals<BR /> | sort - Total<BR /> | addcoltotals labelfield="Top Issues Reported By Clients"</P> <P>Here is the resultant of it:</P> <P>.<IMG src="https://community.splunk.com/storage/temp/226734-query.png" alt="alt text" /></P> <P>My Questions are:</P> <P>1&gt; How can I add another Column called Percentage and calculate the average percentage of the total in terms of the total number of events. Example: Row 1 has a total of 1024, so 1024 is 13.646% of 7504 (My total number of events)</P> <P>2&gt; Can I change something in my query to add combine Row 5 and Row 7 into one row, Row 1, 2, 4, into one row, naming it as a new row and add their totals into one, as they are pretty much the same issue, password reset or account unlock. If possible. I have heard that once indexed, data fields can't be added into one.</P> Tue, 29 Sep 2020 17:43:40 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316486#M163599 shiv1593 2020-09-29T17:43:40Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316487#M163600 <P>can you put your code in <CODE>101010</CODE> format?</P> Tue, 16 Jan 2018 11:09:05 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316487#M163600 mayurr98 2018-01-16T11:09:05Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316488#M163601 <P>okay to solve your first query</P> <P>you can try</P> <PRE><CODE>host="service_desk_tickets" Region=AMER "Sub Category"= extracted_Source= Created="" Summary="" Number="*" | stats count(Number) AS "Number Of Tickets" BY extracted_Source Summary | chart sum("Number Of Tickets") OVER Summary BY extracted_Source | rename Summary AS "Top Issues Reported By Clients" | addtotals | sort - Total | eventstats sum(Total) as Total1 | eval pecentage=Total1*100/Total | addcoltotals labelfield="Top Issues Reported By Clients" | fields - Total1 </CODE></PRE> <P>Now for your second query, in order to combine multiple count you can use <CODE>replace</CODE> command. let suppose you want to combine <CODE>AD Password reset</CODE> and <CODE>AD accound unlock</CODE> into a value called <CODE>Reset</CODE>....you can replace multiple values like that..I am just showing you how to do with two values..you can do the same for multiple values like that</P> <P>then you can change your query as </P> <PRE><CODE> host="service_desk_tickets" Region=AMER "Sub Category"= extracted_Source= Created="" Summary="" Number="*" | replace "AD Password reset" WITH "Reset" "AD accound reset" WITH "Reset" IN Summary | stats count(Number) AS "Number Of Tickets" BY extracted_Source Summary | chart sum("Number Of Tickets") OVER Summary BY extracted_Source | rename Summary AS "Top Issues Reported By Clients" | addtotals | sort - Total | eventstats sum(Total) as Total1 | eval pecentage=Total1*100/Total | addcoltotals labelfield="Top Issues Reported By Clients" | fields - Total1 </CODE></PRE> <P>Let me know if this helps!</P> Tue, 16 Jan 2018 11:16:40 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316488#M163601 mayurr98 2018-01-16T11:16:40Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316489#M163602 <P>use <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Streamstats">streamstats</A> </P> Tue, 16 Jan 2018 11:43:28 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316489#M163602 paramagurukarth 2018-01-16T11:43:28Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316490#M163603 <PRE><CODE>host="service_desk_tickets" Region=AMER "Sub Category"= extracted_Source= Created="" Summary="" Number="*" | stats count(Number) AS "Number Of Tickets" BY extracted_Source Summary | chart sum("Number Of Tickets") OVER Summary BY extracted_Source | rename Summary AS "Top Issues Reported By Clients" | addtotals | sort - Total | addcoltotals labelfield="Top Issues Reported By Clients" </CODE></PRE> Tue, 16 Jan 2018 11:46:31 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316490#M163603 shiv1593 2018-01-16T11:46:31Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316491#M163604 <P>I have updated my query check my solution and let me know if it helps!</P> Tue, 16 Jan 2018 11:51:13 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316491#M163604 mayurr98 2018-01-16T11:51:13Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316492#M163605 <P>Thanks a lot Mayur. Your solution works perfectly, with a change. The correct Percentage will be calculated by eval pecentage=Total*100/Total1. Apart from that, it is perfect.</P> <P>Replace command is working wonders too, but I have a lot of fields to combine, which might make the query way too long. Is there an alternative, where I can use specific keywords and combine the data, like by using Password reset, or Account unlock and combine whichever field have these keywords?</P> Tue, 16 Jan 2018 12:47:02 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316492#M163605 shiv1593 2018-01-16T12:47:02Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316493#M163606 <P>you can use wildcard operator <CODE>*</CODE> . like | <CODE>replace *reset* WITH Reset IN Summary</CODE><BR /> let me know if this helps !</P> Tue, 16 Jan 2018 12:54:55 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316493#M163606 mayurr98 2018-01-16T12:54:55Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316494#M163607 <P>Did the same. Thanks for the help.</P> Tue, 16 Jan 2018 15:04:02 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-in-every-row-adding-two-search-results-into/m-p/316494#M163607 shiv1593 2018-01-16T15:04:02Z