https://community.splunk.com/t5/Splunk-Search/top-command-or-count-percent-of-values-off-stats-command-summary/m-p/127493#M34601 <P>I am assuming after the stats command, the events are like below</P> <P>brower count<BR /> IE xx<BR /> Chrome yy<BR /> ......</P> <P>Then you can do something like this after stats.</P> <PRE><CODE>...your stats query...| eventstats sum(count) as Total | eval percent=round(count*100/Total,1)."%" | sort -count | streamstats count as sno | where sno &lt; NoOfTopValuesYouWantToSee | fields - Total, sno </CODE></PRE> Thu, 10 Apr 2014 17:45:28 GMT somesoni2 2014-04-10T17:45:28Z https://community.splunk.com/t5/Splunk-Search/top-command-or-count-percent-of-values-off-stats-command-summary/m-p/127491#M34599 <P>Using Splunk 5.0.8 SH right now, upgrade to 6 not until June.</P> <P>I have a dashboard that currently executes 24 searches for a span of 24 hours. Goal: Run one search and post-process the dash panels as everything has one filter search and can be summarized into 7 different fields and value combos. That one search would be saved and accelerated and end in a stats command.</P> <P>ISSUE: most of my panels are top commands. since I plan to both timechart and top the results, I would be bucketing _time. How can I use the top command to take into account the values from the count field? Example of issue: If I have one stats event with browser=IE and a count of 10 and another stats event with browser=Chrome with a count of 5, a <EM>| top browser</EM> will show me:<BR /> browser count percent<BR /> Chrome 1 50%<BR /> IE 1 50%</P> <P>This is not what I need. I need both the sum of count for each value rather than the top command's count of the events. I also need the percent so just doing a <EM>sum(count) by browser | sort browser | head 10</EM> doesn't do it.</P> Thu, 10 Apr 2014 16:41:05 GMT https://community.splunk.com/t5/Splunk-Search/top-command-or-count-percent-of-values-off-stats-command-summary/m-p/127491#M34599 jluste 2014-04-10T16:41:05Z https://community.splunk.com/t5/Splunk-Search/top-command-or-count-percent-of-values-off-stats-command-summary/m-p/127492#M34600 <P>So I found my own answer after more Splunk Answers digging: Found <A href="http://answers.splunk.com/answers/6157/percent-of-total">here</A></P> <P>Basically what I need is <EM>this</EM> added to get a "top-like result" for summarized data (either from a summary index or post processing from a stats commanded result:</P> <P>| stats sum(count) as count by browser | eventstats sum(count) as Total | eval percent = round((count/Total)*100,2) . "%" | fields - Total</P> Thu, 10 Apr 2014 17:38:42 GMT https://community.splunk.com/t5/Splunk-Search/top-command-or-count-percent-of-values-off-stats-command-summary/m-p/127492#M34600 jluste 2014-04-10T17:38:42Z https://community.splunk.com/t5/Splunk-Search/top-command-or-count-percent-of-values-off-stats-command-summary/m-p/127493#M34601 <P>I am assuming after the stats command, the events are like below</P> <P>brower count<BR /> IE xx<BR /> Chrome yy<BR /> ......</P> <P>Then you can do something like this after stats.</P> <PRE><CODE>...your stats query...| eventstats sum(count) as Total | eval percent=round(count*100/Total,1)."%" | sort -count | streamstats count as sno | where sno &lt; NoOfTopValuesYouWantToSee | fields - Total, sno </CODE></PRE> Thu, 10 Apr 2014 17:45:28 GMT https://community.splunk.com/t5/Splunk-Search/top-command-or-count-percent-of-values-off-stats-command-summary/m-p/127493#M34601 somesoni2 2014-04-10T17:45:28Z