https://community.splunk.com/t5/Splunk-Search/Combining-stats-search-results/m-p/159379#M44971 <P>I run a search on a field that has multiple values. For example the field quest_name has the following values</P> <PRE><CODE>quest_name </CODE></PRE> <P>1 wpad.TASCNET.tasc.com<BR /> 2 wpad.tascnet.tasc.com<BR /> 3 wpad.stafford.net</P> <P>1). I can compute the number of records that exists for each field value with the following search</P> <P>index=dns* quest_name=wpad* | stats count by quest_name | sort - count</P> <P>The results are</P> <PRE><CODE>quest_name count </CODE></PRE> <P>1 wpad.TASCNET.tasc.com 5777<BR /> 2 wpad.tascnet.tasc.com 1324<BR /> 3 wpad.stafford.net 225</P> <P>2). I can compute the total number of records for all values for quest_name with the following search</P> <P>index=dns* quest_name=wpad* | stats count(quest_name) AS total</P> <P>The results are</P> <PRE><CODE>total </CODE></PRE> <P>1 9492</P> <P>3). Now I want to obtain the percentage of each field value in relation to the "total" value using a single search to show the following calculations:</P> <PRE><CODE>quest_name count percent </CODE></PRE> <P>1 wpad.TASCNET.tasc.com 5777 5777/9492=<BR /> 2 wpad.tascnet.tasc.com 1324 1324/9492=<BR /> 3 wpad.stafford.net 225 225/9492= </P> <P>This I have not been able to do. Your help is requested. Thank you.</P> Mon, 28 Sep 2020 16:34:37 GMT Thuan 2020-09-28T16:34:37Z https://community.splunk.com/t5/Splunk-Search/Combining-stats-search-results/m-p/159379#M44971 <P>I run a search on a field that has multiple values. For example the field quest_name has the following values</P> <PRE><CODE>quest_name </CODE></PRE> <P>1 wpad.TASCNET.tasc.com<BR /> 2 wpad.tascnet.tasc.com<BR /> 3 wpad.stafford.net</P> <P>1). I can compute the number of records that exists for each field value with the following search</P> <P>index=dns* quest_name=wpad* | stats count by quest_name | sort - count</P> <P>The results are</P> <PRE><CODE>quest_name count </CODE></PRE> <P>1 wpad.TASCNET.tasc.com 5777<BR /> 2 wpad.tascnet.tasc.com 1324<BR /> 3 wpad.stafford.net 225</P> <P>2). I can compute the total number of records for all values for quest_name with the following search</P> <P>index=dns* quest_name=wpad* | stats count(quest_name) AS total</P> <P>The results are</P> <PRE><CODE>total </CODE></PRE> <P>1 9492</P> <P>3). Now I want to obtain the percentage of each field value in relation to the "total" value using a single search to show the following calculations:</P> <PRE><CODE>quest_name count percent </CODE></PRE> <P>1 wpad.TASCNET.tasc.com 5777 5777/9492=<BR /> 2 wpad.tascnet.tasc.com 1324 1324/9492=<BR /> 3 wpad.stafford.net 225 225/9492= </P> <P>This I have not been able to do. Your help is requested. Thank you.</P> Mon, 28 Sep 2020 16:34:37 GMT https://community.splunk.com/t5/Splunk-Search/Combining-stats-search-results/m-p/159379#M44971 Thuan 2020-09-28T16:34:37Z https://community.splunk.com/t5/Splunk-Search/Combining-stats-search-results/m-p/159380#M44972 <P>Hello Thuan,<BR /> Try this</P> <PRE><CODE>index=dns quest_name=wpad | stats count by quest_name|eval a="a1"|join a[|search index=dns quest_name=wpad | stats count(quest_name) AS total|eval a="a1"|table a,total]|eval percent=(count/total)*100|eval percentage=percent.%|table quest_name,count,percentage </CODE></PRE> <P>OR you may as look at the below simple one, i guess both give the same result.</P> <PRE><CODE>index=dns quest_name=wpad*|top quest_name </CODE></PRE> <P>Thanks</P> Fri, 09 May 2014 20:04:41 GMT https://community.splunk.com/t5/Splunk-Search/Combining-stats-search-results/m-p/159380#M44972 linu1988 2014-05-09T20:04:41Z https://community.splunk.com/t5/Splunk-Search/Combining-stats-search-results/m-p/159381#M44973 <P>The top command can definitely give you the result.</P> <PRE><CODE> index=dns quest_name=wpad* | top limit=0 quest_name </CODE></PRE> <P>Other option is as below:</P> <PRE><CODE>index=dns quest_name=wpad | stats count by quest_name | sort - count | eventstats sum(count) as total | eval percent=round(count*100/total,2) | fields - total </CODE></PRE> Mon, 12 May 2014 20:07:14 GMT https://community.splunk.com/t5/Splunk-Search/Combining-stats-search-results/m-p/159381#M44973 somesoni2 2014-05-12T20:07:14Z https://community.splunk.com/t5/Splunk-Search/Combining-stats-search-results/m-p/159382#M44974 <P>Thank you for the diversity of answers.<BR /> I now get to know how to use subsearch, join, eventstats.<BR /> One note though about the captchas. I have tried to answer much earlier but I have so many captchas.</P> Tue, 13 May 2014 16:01:54 GMT https://community.splunk.com/t5/Splunk-Search/Combining-stats-search-results/m-p/159382#M44974 Thuan 2014-05-13T16:01:54Z