Archive
Highlighted

How do I create splunk query to get the total percentage of the two results

Explorer

I'm new to splunk and need further guidance to be able to accomplish my dashboard for Pi-Hole:

Could some expert guide me how?

Queries Blocked
tag=dns tag=network tag=resolution query_type=blocked |stats count

Total Queries
sourcetype="pihole:log*" tag=dns tag=network tag=resolution query |stats count

How do I create splunk query to get the total percentage of the two results
Queries Blocked/Total queries x 100 = ?

I just need the exact value so i can just simply copy and paste the good answer here to my splunk field.

Your input is highly appreciated.

Tags (1)
0 Karma
Highlighted

Re: How do I create splunk query to get the total percentage of the two results

Ultra Champion

Try this:

sourcetype="pihole:log*"  tag=dns tag=network tag=resolution 
|stats count as total, count(eval(query_type="blocked") as blocked 
|eval percent=round((blocked/total)* 100,1)
0 Karma
Highlighted

Re: How do I create splunk query to get the total percentage of the two results

Explorer

if i put this search query, i get the correct total no output, but with "zero" blocked output.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
sourcetype="pihole:log" tag=dns tag=network tag=resolution messagetype="Query"
|stats count as total, count(eval(query
type="Blocked")) as blocked
|eval percent=round((blocked/total)* 100,1)

total blocked percent
20433 0 0.0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

And below results shows the correct no. of blocked outputs, but too many entries outputs
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
sourcetype="pihole:log" tag=dns tag=network tag=resolution
|stats count as total, count(eval(query_type="Blocked")) as blocked
|eval percent=round((blocked/total)* 100,1)

total blocked percent
91921 3683 4.0
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

0 Karma
Highlighted

Re: How do I create splunk query to get the total percentage of the two results

Ultra Champion

messagetype="Query" does not have `querytype="Blocked"
and many
messagetypehavequerytype="Blocked"`
you only know your logs. good luck.

0 Karma