topic How do I search for a Term, then get the Percentage out of Total? in Splunk Search

How do I search for a Term, then get the Percentage out of Total?

mkarimi — Mon, 28 Sep 2020 14:52:07 GMT

I'm writing a search query that needs to look for a specific word SPECIFIC_WORD in the logs of host HOST_X and then determine how many times that searched term comes up when compared to overall. Looking for something along the lines of:

1) search: host='HOST_X' => it will yield to say 100 results
2) search: host='HOST_X' "SPECIFC_WORD" => it will yield to say 20 results
3) do a percentage out of total => 20%
4) be able to do the best graph by date_hour of step_2/step_1

I've done something like that already:

host="HOST_X" | stats count as total by date_hour | join [search host="HOST_X" "SPECIFIC_WORD" | stats count as something by date_hour] | eval percent_out_of=(something/total)*100

That seems to give me what I'm looking for, but only see total in the graph. It could be that the total number is just too large, but I'm not sure)

Re: How do I search for a Term, then get the Percentage out of Total?

alacercogitatus — Mon, 30 Sep 2013 21:55:41 GMT

Actually, you should be able to do this without a join.

host="HOST_X" | eval does_match = if(searchmatch("SPECIFIC_WORD"),1,0) | stats sum(does_match) as Specific_Word count as Total by date_hour | eval percent_out_of = (Specific_Word/count)*100

Re: How do I search for a Term, then get the Percentage out of Total?

mkarimi — Wed, 02 Oct 2013 16:33:09 GMT

thanks for the help. Is it possible to show them both in the same time vs count column graph? I know I can change the graph type but it shows them next to each other in the column graph instead of the same column.