https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-of-multiple-values-different-events/m-p/213456#M62619 <P>I am trying to display the percentage of Total Modems against Total Modems on Card 0.</P> <P>The XML I am given unfortunately breaks up data from essentially one event into three:</P> <P><IMG src="http://i.imgur.com/T84LY2R.png" alt="alt text" /></P> <PRE><CODE>source="C:\\splunk_files\\summary.xml" host="OSSTEST01" index="prtg_cmts" sourcetype="PRTG_API" | rex "(&lt;sensor&gt;)(?&lt;sensor&gt;.*)&lt;" | rex "(&lt;group&gt;)(?&lt;group&gt;.*)&lt;" | rex "(&lt;lastvalue&gt;)(?&lt;value&gt;\d+)\s" | search group="Bertha/Hewitt CMTS" | table _time, group, sensor, value </CODE></PRE> <P>I have tried running a sub search to get <EM>just</EM> total modem count, and then compare that to the count of the two other rows, using <STRONG>eventstats</STRONG>, but that was not successful. </P> Mon, 26 Sep 2016 16:25:09 GMT evan_roggenkamp 2016-09-26T16:25:09Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-of-multiple-values-different-events/m-p/213456#M62619 <P>I am trying to display the percentage of Total Modems against Total Modems on Card 0.</P> <P>The XML I am given unfortunately breaks up data from essentially one event into three:</P> <P><IMG src="http://i.imgur.com/T84LY2R.png" alt="alt text" /></P> <PRE><CODE>source="C:\\splunk_files\\summary.xml" host="OSSTEST01" index="prtg_cmts" sourcetype="PRTG_API" | rex "(&lt;sensor&gt;)(?&lt;sensor&gt;.*)&lt;" | rex "(&lt;group&gt;)(?&lt;group&gt;.*)&lt;" | rex "(&lt;lastvalue&gt;)(?&lt;value&gt;\d+)\s" | search group="Bertha/Hewitt CMTS" | table _time, group, sensor, value </CODE></PRE> <P>I have tried running a sub search to get <EM>just</EM> total modem count, and then compare that to the count of the two other rows, using <STRONG>eventstats</STRONG>, but that was not successful. </P> Mon, 26 Sep 2016 16:25:09 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-of-multiple-values-different-events/m-p/213456#M62619 evan_roggenkamp 2016-09-26T16:25:09Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-of-multiple-values-different-events/m-p/213457#M62620 <P>Try this</P> <PRE><CODE>source="C:\\splunk_files\\summary.xml" host="OSSTEST01" index="prtg_cmts" sourcetype="PRTG_API" | rex "(&lt;group&gt;)(?&lt;group&gt;.*)&lt;" | search group="Bertha/Hewitt CMTS" | rex "(&lt;sensor&gt;)(?&lt;sensor&gt;.*)&lt;" | rex "(&lt;lastvalue&gt;)(?&lt;value&gt;\d+)\s" | table _time, group, sensor, value | eventstats sum(value) as Total by _time group | eval Percentage=round(value*100/Total,2) </CODE></PRE> <P><STRONG>Updated</STRONG><BR /> If I'm not wrong, it easy to implement by just changing <CODE>eventstats sum(..</CODE> to <CODE>eventstats max(..</CODE></P> <PRE><CODE>source="C:\\splunk_files\\summary.xml" host="OSSTEST01" index="prtg_cmts" sourcetype="PRTG_API" | rex "(&lt;group&gt;)(?&lt;group&gt;.*)&lt;" | search group="Bertha/Hewitt CMTS" | rex "(&lt;sensor&gt;)(?&lt;sensor&gt;.*)&lt;" | rex "(&lt;lastvalue&gt;)(?&lt;value&gt;\d+)\s" | table _time, group, sensor, value | eventstats max(value) as Total by _time group | eval Percentage=round(value*100/Total,2) </CODE></PRE> Mon, 26 Sep 2016 16:44:14 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-of-multiple-values-different-events/m-p/213457#M62620 somesoni2 2016-09-26T16:44:14Z https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-of-multiple-values-different-events/m-p/213458#M62621 <P>That is helpful. I maybe forgot to mention, the first row is actually the total and the values below it fractional representations of it (they add up to the total). </P> <P>So in this case:<BR /> The first row has the total modems: 126<BR /> Upstream 5 has 86 modems online so it has 68% of the modems online<BR /> Upstream 6 has 40 modems online so it has 32% of the modems online</P> <P>So there are 100% of the modems online. That is what I would like to represent in a single value field.</P> Mon, 26 Sep 2016 17:58:58 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-percentage-of-multiple-values-different-events/m-p/213458#M62621 evan_roggenkamp 2016-09-26T17:58:58Z