topic Re: How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches? in Splunk Search

How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

otman01 — Fri, 03 Apr 2015 07:56:24 GMT

Hi,

I want to create a dashboard using these 2 searches:
1) the first one index='text' | count, will give a result. For example result=250
2) the second one will be based on the result of the first one
index='text' type='cpu'| eventstats sum(nombre) as total | eval pourcentage=round((nombre/result)*100,2) | table EventType, nombre, pourcentage

Do you have an idea how to do this?
Thank you all, have a nice day

Re: How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

stephane_cyrill — Fri, 03 Apr 2015 08:52:26 GMT

Hi, Otman01
try this:
index='text'|count AS result [search index='text' type='cpu'| eventstats sum(nombre) as total ]| eval pourcentage=round((nombre/result)*100,2) | table EventType, nombre, pourcentage

Thanks to vote and Accept if your are satisfied....

Re: How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

otman01 — Mon, 28 Sep 2020 19:23:13 GMT

I have some problems in the 2 searchs. can you help me ? thank you
"Error in 'chart' command: The argument '( ( EventType=0 AND count=7957 ) )' is invalid."

this is exactely the first search:
source="WinEventLog:*" | chart count AS result

this is the second:
search source="WinEventLog:*" EventType=0 | chart count by EventType

in the general search I do like bellow (it works to give me the percentage)

source="WinEventLog:*" | chart count as nombre by EventType | eventstats sum(nombre) as total | eval percentage=round((nombre/total)*100,2) | table EventType, nombre, percentage

but I want to keep each row in a separate panel .

Re: How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

otman01 — Fri, 03 Apr 2015 13:31:30 GMT

Yes EventType is a field for me there are a values that it accept (0.1.2.3.4.5.6)
thank you

Re: How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

chimell — Sat, 04 Apr 2015 11:43:25 GMT

Hi otman01
Try this xml code

    <dashboard>
      <label>fcff</label>
      <row>
        <panel>
          <chart>
            <search>
              <query>source="WinEventLog:*" | chart count AS result</query>
              <earliest>0</earliest>
              <latest>now</latest>
            </search>
          </chart>
        </panel>
      </row>
    <row>
        <panel>
          <chart>
            <search>
              <query> source="WinEventLog:*" EventType=0 | chart count by EventType </query>
              <earliest>0</earliest>
              <latest>now</latest>
            </search>
          </chart>
        </panel>
      </row>
    <row>
        <panel>
          <chart>
            <search>
              <query> source="WinEventLog:*" | chart count as nombre by EventType | eventstats sum(nombre) as total | eval percentage=round((nombre/total)*100,2) | table EventType, nombre, percentage </query>
              <earliest>0</earliest>
              <latest>now</latest>
            </search>
          </chart>
        </panel>
      </row>
    </dashboard>

Re: How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

otman01 — Tue, 07 Apr 2015 08:08:02 GMT

Thank you for your answer.
so this is an extrat of the result that the search return:
EventType--------nombre ------------------- percentage
0------------------- 8246 ----------------------- 14.43
1 ------------------- 18 --------------------------- 0.03
2 ------------------- 7512 ----------------------- 13.15
3 ------------------- 3982 ------------------------ 6.97
4 ------------------- 37286 ---------------------- 65.25
5 ------------------- 101 -------------------------- 0.18

What I want to do is extract for example the 2nd row and the 4th row .
Is this is POSSIBLE ?

Re: How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

otman01 — Tue, 07 Apr 2015 09:50:18 GMT

Thank you I could find another solution, for my case I use WHERE expression to extrat just one line

Re: How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

chimell — Tue, 07 Apr 2015 09:59:51 GMT

Are you satisfied by my previous answer ? If yes let vote it

Re: How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

chimell — Tue, 07 Apr 2015 10:47:32 GMT

Hi otman01
Just follow this link ,it will help you
http://answers.splunk.com/answers/169069/extract-one-row-of-data-from-a-table.html

Re: How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

ppablo — Thu, 09 Apr 2015 22:09:07 GMT

Hi @otman01

Please be sure than when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You keep typing your responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation. It gets difficult when people don't know who you're responding to. I already converted your answer to a comment, so just something to keep in mind from here on out. Thanks