Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

calculate Field count and pass it for percent calculation

k_harini
Communicator
‎10-13-2016 02:49 AM

Hi,
I'm a newbie to splunk. Struggling with a query. All i want to do now is pass the total value so that i can calculate the %. One part of query is done. Other part I'm facing issue - to pass total value
Tried this
1. index="my_index" | eval reformat_time= strftime(strptime('Due Date',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|where (reformat_time >= now_time) AND ('Status'!="Oxxx") |stats count as Missed_count count(eval(index=” my_index”) as Total|table Missed_count Total .. I'm not able to get total and hence could not calculate completed %. I got missed count. Im looking for total count to calculate %.
2. Tried with eventstats too
index="charm_normal_index"|eventstats count as Total_events|eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|where (reformat_time >= now_time) AND ('System Status'!="Completed") |stats count as Missed_count| table Missed_count Total_events

No luck. Please help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-13-2016 04:47 AM

There are a couple of ways you can do this.. You almost has both of them.. Try one of these

Using eventstats

index="charm_normal_index"|eventstats count as Total_events | where (reformat_time >= now_time) AND ('System Status'!="Completed") | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Missed_count values(Total_events) as Total_events

Using stats

index="charm_normal_index"|eventstats count as Total_events | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Total_events count(eval((reformat_time >= now_time) AND ('System Status'!="Completed") )) as Missed_count

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-13-2016 04:47 AM

There are a couple of ways you can do this.. You almost has both of them.. Try one of these

Using eventstats

index="charm_normal_index"|eventstats count as Total_events | where (reformat_time >= now_time) AND ('System Status'!="Completed") | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Missed_count values(Total_events) as Total_events

Using stats

index="charm_normal_index"|eventstats count as Total_events | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Total_events count(eval((reformat_time >= now_time) AND ('System Status'!="Completed") )) as Missed_count
Reply
Solved! Jump to solution

k_harini
Communicator
‎10-13-2016 10:45 AM

Hi,

Using stats worked. 1st query did not work. There is another option with join. I did with that. Thanks a lot for your response

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...