https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109614#M28623 <P>Thank you so much, its working</P> Mon, 06 Apr 2015 10:36:07 GMT Laya123 2015-04-06T10:36:07Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109604#M28613 <P>hi,</P> <P>my search is :</P> <PRE><CODE>index=* sourcetype=ABC host=ABC c_met="GET" c_u_s="*mweb.dll*" [search index=* sourcetype=ABC host=ABC c_met="GET" c_u_s="*mweb.dll*" | where isnull(kid) and isnotnull(project) | stats count(project) as PCount by project | table project]| eval Sam=if(isnull(s), "NONE",s) | eval UT=if(isnull(kid), "No", "Yes") | stats count(project) as ProCount by project Sam UT| table project ProCount Sam UT </CODE></PRE> <P>the above search is giving output like:</P> <PRE><CODE>project ProCount Sam UT A 10 S1 No A 200 S1 Yes B 25 S2 No B 100 S2 Yes C 2 S3 No C 1 None No C 150 S3 Yes D 3 S3 No D 2 S4 No D 125 S3 Yes E 125 S2 No E 10 S2 Yes F 3 S3 No F 2 S4 No F 125 S3 Yes F 10 S4 Yes </CODE></PRE> <P>but I dont want all projects. I want to only see projects where the Nos of UT is greater than 5%.</P> <P>This means I want my output to only be projects B &amp; E because only these 2 projects have greater than 5% of Nos for that project.</P> <PRE><CODE>project ProCount Sam UT B 25 S2 No B 100 S2 Yes E 125 S2 No E 10 S2 Yes </CODE></PRE> <P>Please help me do this</P> <P>Thanks </P> Thu, 26 Mar 2015 11:21:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109604#M28613 Laya123 2015-03-26T11:21:04Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109605#M28614 <P>Hi Laya123,<BR /> I think what you have to do is to filter your search with the where command.<BR /> I don't understand what you call the Nos of UT. but assuming that you can you "Nos of UT" and your five_percent , try something like this:</P> <P>.......|eval "No of UT"=.....|eval five_percent=.......| table project ProCount Sam UT|where "Nos fo UT" &gt; five_percent </P> Mon, 28 Sep 2020 19:20:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109605#M28614 stephane_cyrill 2020-09-28T19:20:45Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109606#M28615 <P>Hi,</P> <P>Thanks for your immediate response, Nos of UT means in my example there is one 'UT' column in that Yes and No values are there. I want percentage only for 'No' means where ever projects is having more than 5% of No i want to display only those projects with the same number of columns.</P> <P>Thank you so much</P> Thu, 26 Mar 2015 13:14:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109606#M28615 Laya123 2015-03-26T13:14:07Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109607#M28616 <P>What happens if you add:</P> <PRE><CODE>| appendpipe [| stats sum(ProCount) as Total by project] | eval Perc=ProCount/project*100 | search Perc&gt;5 UT="No" </CODE></PRE> Thu, 26 Mar 2015 13:46:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109607#M28616 masonmorales 2015-03-26T13:46:44Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109608#M28617 <P>Thank you for your response where I have to add this query after the subsearch or end of the search, Pl suggest</P> <P>Thank you</P> Thu, 26 Mar 2015 13:48:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109608#M28617 Laya123 2015-03-26T13:48:14Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109609#M28618 <P>I copied your query after subsearch and end of the subsearch but not getting any results. pl help me</P> <P>Thanks </P> Thu, 26 Mar 2015 15:06:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109609#M28618 Laya123 2015-03-26T15:06:59Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109610#M28619 <P>It's very difficult to write a search based on the results of an existing search. Would you be able to post some sample data that we can work with?</P> Thu, 26 Mar 2015 16:37:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109610#M28619 masonmorales 2015-03-26T16:37:04Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109611#M28620 <P>hi, </P> <P>sorry for the late response and thank you so much for your help</P> <P>here is the raw sample data </P> <P>sourcetype host c_met c_u_s kid project s<BR /> ABC ABC GET mweb.dll 0djtr1 A S1<BR /> ABC ABC GET mweb.dll 0djtr2 A S1<BR /> ABC ABC GET mweb.dll 0djtr3 A S1<BR /> ABC ABC GET mweb.dll 0djtr4 A S1<BR /> ABC ABC GET mweb.dll A S1<BR /> ABC ABC GET mweb.dll A S1<BR /> ABC ABC GET mweb.dll 0djtr5 A S2<BR /> ABC ABC GET mweb.dll 0djtr6 A S2<BR /> ABC ABC GET mweb.dll 0djtr7 A S2<BR /> ABC ABC GET mweb.dll 0djtr8 A S2<BR /> ABC ABC GET mweb.dll 0djtr9 A S2<BR /> ABC ABC GET mweb.dll 0djtr10 A S2<BR /> ABC ABC GET mweb.dll abcd1 B S1<BR /> ABC ABC GET mweb.dll abcd2 B S1<BR /> ABC ABC GET mweb.dll abcd3 B S1<BR /> ABC ABC GET mweb.dll abcd4 B S1<BR /> ABC ABC GET mweb.dll B S1<BR /> ABC ABC GET mweb.dll B S1<BR /> ABC ABC GET mweb.dll B S2<BR /> ABC ABC GET mweb.dll B<BR /><BR /> ABC ABC GET mweb.dll B<BR /><BR /> ABC ABC GET mweb.dll B S2<BR /> ABC ABC GET mweb.dll abcd9 B S2<BR /> ABC ABC GET mweb.dll abcd9 B S2<BR /> ABC ABC GET mweb.dll lkimn1 C S1<BR /> ABC ABC GET mweb.dll lkimn2 C S1<BR /> ABC ABC GET mweb.dll lkimn3 C S1<BR /> ABC ABC GET mweb.dll lkimn4 C S1<BR /> ABC ABC GET mweb.dll C S1<BR /> ABC ABC GET mweb.dll C S1<BR /> ABC ABC GET mweb.dll C<BR /><BR /> ABC ABC GET mweb.dll lkimn6 C S2<BR /> ABC ABC GET mweb.dll lkimn7 C S2<BR /> ABC ABC GET mweb.dll lkimn8 C S2<BR /> ABC ABC GET mweb.dll lkimn9 C S2<BR /> ABC ABC GET mweb.dll lkimn10 C S2</P> <P>form above data for some projects there is no kid my query is giving correct results only but i am getting all projects, but i want no kid &gt;5% projects . I want my output from the above data is</P> <P>My query:<BR /> index=* sourcetype=ABC host=ABC c_met="GET" c_u_s="<EM>mweb.dll</EM>" [search index=* sourcetype=ABC host=ABC c_met="GET" c_u_s="<EM>mweb.dll</EM>" | where isnull(kid) and isnotnull(project) | stats count(project) as PCount by project | table project]| eval Sam=if(isnull(s), "NONE",s) | eval UT=if(isnull(kid), "No", "Yes") | stats count(project) as ProCount by project Sam UT| table project ProCount Sam UT</P> <P>using the above query i am getting all projects but i want only B. why because total procount = 12 out of this 6 are not having kid means 50% not having kid. like this i want my output where not having kid&gt;5% of projects</P> <P>project ProCount Sam UT<BR /> B 4 S1 Yes<BR /> B 2 S1 No<BR /> B 2 S2 No<BR /> B 2 S2 Yes<BR /> B 2 NONE No</P> <P>Thank you so much</P> <P>Regards</P> Mon, 28 Sep 2020 19:21:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109611#M28620 Laya123 2020-09-28T19:21:48Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109612#M28621 <P>Hi, <BR /> Thank you for your response</P> <P>I sent the sample data can you help me </P> <P>Regards</P> Wed, 01 Apr 2015 11:44:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109612#M28621 Laya123 2015-04-01T11:44:16Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109613#M28622 <P>Try this</P> <PRE><CODE> index=* sourcetype=ABC host=ABC c_met="GET" c_u_s="*mweb.dll*" [search index=* sourcetype=ABC host=ABC c_met="GET" c_u_s="*mweb.dll*" | where isnull(kid) and isnotnull(project) | stats count(project) as PCount by project | table project]| eval Sam=if(isnull(s), "NONE",s) | eval UT=if(isnull(kid), "No", "Yes") | stats count(project) as ProCount by project Sam UT| table project ProCount Sam UT | eval NoCount=if(UT="No",ProCount,0) | eventstats sum(NoCount) as NoCount sum(ProCount) as Total by project | where NoCount&gt;0.05*Total | fields - NoCount Total </CODE></PRE> Thu, 02 Apr 2015 15:49:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109613#M28622 somesoni2 2015-04-02T15:49:59Z https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109614#M28623 <P>Thank you so much, its working</P> Mon, 06 Apr 2015 10:36:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-only-return-values-from-a-search-where-the-percentage-is/m-p/109614#M28623 Laya123 2015-04-06T10:36:07Z