topic Re: How to edit my search to calculate percentage for each row? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291194#M87981 <P>Yes this is the solution</P> Sat, 13 May 2017 09:37:53 GMT sonila 2017-05-13T09:37:53Z How to edit my search to calculate percentage for each row? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291186#M87973 <PRE><CODE>earliest=-72h@h latest=@h index=dga | transaction EventType maxevents=2 |stats count as total | appendcols [search earliest=-72h@h latest=@h index=dga | transaction EventType maxevents=2| where Result="False" OR Result="false" |timechart span=1h count | eval time=_time-now()%259200 | timechart span=24h sum(count) as count | tail 3 | tail 2 | eval _time=_time+now()%259200] | eval percentage=count*100/total | table count, p </CODE></PRE> <P>Why can't it calculate the whole percentage? It calculates only for the first row</P> Fri, 12 May 2017 19:08:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291186#M87973 sonila 2017-05-12T19:08:36Z Re: How to edit my search to calculate percentage for each row? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291187#M87974 <P>The first query of your's is giving only single row (output of stats) hence the field total is only populated in row1 and thus percentage is only available in row1. I believe something like this would work efficiently and give you expected result.</P> <PRE><CODE>earliest=-72h@h latest=@h index=dga | transaction EventType maxevents=2 | eventstats count as total | where Result="False" OR Result="false" |timechart span=1h count max(total) as total | eval time=_time-now()%259200 | timechart span=24h sum(count) as count max(total) as total | tail 2 | eval _time=_time+now()%259200 | eval percentage=count*100/total | table count, p </CODE></PRE> Fri, 12 May 2017 19:28:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291187#M87974 somesoni2 2017-05-12T19:28:09Z Re: How to edit my search to calculate percentage for each row? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291188#M87975 <P>nope doesnt work this</P> <PRE><CODE>earliest=-72h@h latest=@h index=dga | transaction EventType maxevents=2| where Result="False" OR Result="false" |timechart span=1h count | eval time=_time-now()%259200 | timechart span=24h sum(count) as count | tail 3 | tail 2 | eval _time=_time+now()%259200 | appendcols [ search earliest=-72h@h latest=@h index=dga | transaction EventType maxevents=2 | timechart span=1h count as total |eval time=_time-now()%259200 | timechart span=24h sum(total) as total | tail 3 | tail 2 | eval _time=_time+now()%259200 ] | eval p=count*100/total | eval p = if(isnull(p), 0, p) |fields + p </CODE></PRE> <P>this gave me the solution wanted</P> Fri, 12 May 2017 20:17:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291188#M87975 sonila 2017-05-12T20:17:01Z Re: How to edit my search to calculate percentage for each row? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291189#M87976 <P>Could you describe what's the problem you see with the results?</P> Fri, 12 May 2017 21:21:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291189#M87976 somesoni2 2017-05-12T21:21:04Z Re: How to edit my search to calculate percentage for each row? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291190#M87977 <P>Your solution didnt calculate percentage of each row. <BR /> Instead my version gave me the results for each row.<BR /> <CODE>earliest=-72h@h latest=@h index=dga | transaction EventType maxevents=2| where Result="False" OR Result="false" |timechart span=1h count | eval time=_time-now()%259200 | timechart span=24h sum(count) as count | tail 3 | tail 2 | eval _time=_time+now()%259200</CODE> --&gt; this gave me the number of events of errors counted by time<BR /> and <BR /> <CODE>appendcols [ search earliest=-72h@h latest=@h index=dga | transaction EventType maxevents=2 | timechart span=1h count as total |eval time=_time-now()%259200 | timechart span=24h sum(total) as total | tail 3 | tail 2 | eval _time=_time+now()%259200 ] | eval p=count*100/total</CODE> ---&gt; this gave me the total and percentage of each row</P> Fri, 12 May 2017 21:27:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291190#M87977 sonila 2017-05-12T21:27:17Z Re: How to edit my search to calculate percentage for each row? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291191#M87978 <P>Your <CODE>transaction</CODE> commands look strange to me and I suspect that are gross overkill for what you are trying to do. Please show a few sample events and the desire end result. I am sure that we can create something in a much more efficient way than the path that you are on.</P> Sat, 13 May 2017 00:34:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291191#M87978 woodcock 2017-05-13T00:34:39Z Re: How to edit my search to calculate percentage for each row? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291192#M87979 <P>@sonila - I just want to confirm: The solution you found above is the answer to your question? If yes, let me know and I can convert your comment as the answer to "Accept". If no and you want to leave your question open for other suggestions, no action needs to be taken.</P> Sat, 13 May 2017 01:50:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291192#M87979 aaraneta_splunk 2017-05-13T01:50:01Z Re: How to edit my search to calculate percentage for each row? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291193#M87980 <P>I need to count two events as one. thats why i used transaction command</P> Sat, 13 May 2017 09:37:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291193#M87980 sonila 2017-05-13T09:37:05Z Re: How to edit my search to calculate percentage for each row? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291194#M87981 <P>Yes this is the solution</P> Sat, 13 May 2017 09:37:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-calculate-percentage-for-each-row/m-p/291194#M87981 sonila 2017-05-13T09:37:53Z