topic How do I edit my search using tstats to get top hosts by percentage? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194660#M56126 <P>I run the following every morning, but I know it could be accomplished more efficiently using tstats, but I cannot get the top host by percentage of all host.</P> <PRE><CODE>index=* | top 20 host </CODE></PRE> <P>The following gives me the top host, but I also want to know the percentage of all the hosts.</P> <PRE><CODE>| tstats count by host | sort -count </CODE></PRE> Tue, 07 Jul 2015 11:35:57 GMT mcbradford 2015-07-07T11:35:57Z How do I edit my search using tstats to get top hosts by percentage? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194660#M56126 <P>I run the following every morning, but I know it could be accomplished more efficiently using tstats, but I cannot get the top host by percentage of all host.</P> <PRE><CODE>index=* | top 20 host </CODE></PRE> <P>The following gives me the top host, but I also want to know the percentage of all the hosts.</P> <PRE><CODE>| tstats count by host | sort -count </CODE></PRE> Tue, 07 Jul 2015 11:35:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194660#M56126 mcbradford 2015-07-07T11:35:57Z Re: How do I edit my search using tstats to get top hosts by percentage? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194661#M56127 <P>Try this:</P> <PRE><CODE>| tstats count by host | eventstats sum(count) as total | eval percentage = count/total*100 | fields - total | sort - count | head 20 </CODE></PRE> Tue, 07 Jul 2015 11:55:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194661#M56127 martin_mueller 2015-07-07T11:55:21Z Re: How do I edit my search using tstats to get top hosts by percentage? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194662#M56128 <P>I downvoted this post because doesn't work on large event sets over 10000 rows</P> Mon, 28 Nov 2016 18:08:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194662#M56128 w531t4 2016-11-28T18:08:30Z Re: How do I edit my search using tstats to get top hosts by percentage? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194663#M56129 <P>All you need to do is read the <CODE>sort</CODE> docs: <CODE>| sort 0 - count</CODE> will work for larger sets.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/sort">http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/sort</A></P> Mon, 28 Nov 2016 18:19:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194663#M56129 martin_mueller 2016-11-28T18:19:24Z Re: How do I edit my search using tstats to get top hosts by percentage? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194664#M56130 <P>I suppose that works, my mistake. Thanks!</P> Mon, 28 Nov 2016 18:24:22 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-search-using-tstats-to-get-top-hosts-by/m-p/194664#M56130 w531t4 2016-11-28T18:24:22Z