Splunk Dev

How do i percentage for PROCESSED and STARTED on below query

vkari
New Member

index=ciaudit eventname=*
| spath "EventStreamData.response.verificationStatus"
| search "EventStreamData.response.verificationStatus"=PROCESSED OR "EventStreamData.response.verificationStatus"=STARTED
| rename "EventStreamData.response.verificationStatus" as verificationStatus
| stats count by verificationStatus

I got the results like below in a tale formate....! but i need do add percentage for count results ...?

verificationStatus count
PROCESSED 2
STARTED 187

Stated /processed *100

Tags (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@vkari,

You might need to interchange the numerator and denominator to find the % of processed vs started.

Try,

index=ciaudit eventname=*
| spath "EventStreamData.response.verificationStatus"
| search "EventStreamData.response.verificationStatus"=PROCESSED OR "EventStreamData.response.verificationStatus"=STARTED
| rename "EventStreamData.response.verificationStatus" as verificationStatus
| stats count by verificationStatus
| transpose header_field=verificationStatus column_name=perc |eval perc=round((PROCESSED/STARTED)*100,2)

Or if you want to keep the existing format,

index=ciaudit eventname=*
| spath "EventStreamData.response.verificationStatus"
| search "EventStreamData.response.verificationStatus"=PROCESSED OR "EventStreamData.response.verificationStatus"=STARTED
| rename "EventStreamData.response.verificationStatus" as verificationStatus
| stats count by verificationStatus
| eventstats values(eval(if(verificationStatus=="PROCESSED",count,null()))) as _PROCESSED,values(eval(if(verificationStatus=="STARTED",count,null()))) as _STARTED
| eval perc=round((_PROCESSED/_STARTED)*100 ,2)
Happy Splunking!
0 Karma

vkari
New Member

Fist query not help to me second time you gave me and fist one its working fine

i need one more help !
index=audit eventName=501 |“EventStreamData.response.verificationStatus”=PROCESSED then here

| spath "EventStreamData.eventContext.startTime" | search "EventStreamData.eventContext.startTime"="*"

index=audit eventName=503 |"EventStreamData.eventContext.endTime" | search "EventStreamData.eventContext.endTime"="*"

and Stat time and end time average time

0 Karma

woodcock
Esteemed Legend

If this solution answers this question, then do click Accept (and UpVote the other helpful comments and answers). If you have more/different questions, then the appropriate thing to do is to post new questions.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

If one of the solutions worked, please accept as answer/upvote.

Didnt understand your second question fully but you are
- trying to calculate average time of each "PROCESSED" job
- eventName=501 represents startTime and 503 represents endtime

Is that correct?

Do you have a job id or any other identifier to identify the PROCESSED jobs so that we can find the duration of each job and then an average?

Something similar to

index=audit (eventName=501 OR eventName=503 ) “EventStreamData.response.verificationStatus”=PROCESSED ('EventStreamData.eventContext.startTime'="*" OR 'EventStreamData.eventContext.endTime'="*")
|stats latest('EventStreamData.eventContext.startTime') as starTime,latest('EventStreamData.eventContext.endTime') as endTime bby jobId
|eval duration=endTime-starTime
Happy Splunking!
0 Karma

vnravikumar
Champion

Hi @vkari

Try this

| makeresults 
| eval verificationStatus="PROCESSED", count =2 
| append 
    [| makeresults 
    | eval verificationStatus="STARTED", count =187] 
| eval{verificationStatus} = count 
| stats list(PROCESSED) as processed,list(STARTED) as started 
| eval percentage = started/processed*100
0 Karma

vkari
New Member

Nope it's wont work for me !

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...