https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18912#M2816 <P>Ah this is so obvious now. Thanks so much!</P> Mon, 04 Feb 2013 21:49:40 GMT cosullivan66 2013-02-04T21:49:40Z https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18910#M2814 <P>I'm evaluating a variable called lengthofpayload. I want to separate it into 10 buckets: 0-1000, 1000-2000, etc. Each bucket has a number of events in it, and I want to find the percent of the total events found in that time window each bucket holds. For example, if I wanted to find the number of events and how their payload lengths are distributed in the last 24 hours, it'd look like this:</P> <PRE><CODE>6,000 events found lengthofpayload percentage 0-1000 16% 1000-2000 40% 2000-3000 20% </CODE></PRE> <P>I found this link to something similar, but I don't want a timechart in the end: <A href="http://splunk-base.splunk.com/answers/27590/charting-percentage-of-a-total-over-time">http://splunk-base.splunk.com/answers/27590/charting-percentage-of-a-total-over-time</A></P> <P>This is the code I'm using and I think it's close but it doesn't work. It prints nothing out for the first(percentage) variable. </P> <PRE><CODE>sourcetype="dbmon:kv" | search EVENTTYPE="ScreenSharingEvent" | eval lengthofpayload=len(PAYLOAD) | bucket lengthofpayload bins=10 | eventstats count as total by length of payload | stats count first(total) as total by lengthofpayload | eval percent=(count/total)*100 | chart first(percent) by lengthofpayload </CODE></PRE> <P>Thanks in advance for help/suggestions!</P> Mon, 04 Feb 2013 19:12:32 GMT https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18910#M2814 cosullivan66 2013-02-04T19:12:32Z https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18911#M2815 <P>You can use | top: it will give you the distribution # and % of results grouped by the value of a field. </P> <PRE><CODE>sourcetype="dbmon:kv" | search EVENTTYPE="ScreenSharingEvent" | eval lengthofpayload=len(PAYLOAD) | bucket lengthofpayload bins=10 | top lengthofpayload </CODE></PRE> Mon, 04 Feb 2013 21:22:47 GMT https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18911#M2815 Paolo_Prigione 2013-02-04T21:22:47Z https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18912#M2816 <P>Ah this is so obvious now. Thanks so much!</P> Mon, 04 Feb 2013 21:49:40 GMT https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18912#M2816 cosullivan66 2013-02-04T21:49:40Z https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18913#M2817 <P>I'd like it to display % without #. Do you know how to delete the # column?</P> Mon, 04 Feb 2013 21:52:58 GMT https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18913#M2817 cosullivan66 2013-02-04T21:52:58Z https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18914#M2818 <P>| top showcount=false lengthofpayload</P> Mon, 04 Feb 2013 21:55:00 GMT https://community.splunk.com/t5/Splunk-Search/Show-percentage-of-total-by-buckets/m-p/18914#M2818 Paolo_Prigione 2013-02-04T21:55:00Z