Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find percentage and count using stats and eval?

POR160893
Builder
‎03-30-2022 07:01 AM

Hi,

I have a field "IT_Managed" and its values are "Yes" or "No".
I need the count AND percentage of events with "YES".
It appears I am not using the stats and eval commands correctly.
Here is my code:

POR160893_0-1648648876973.png

 



Can you please help?
Thanks

Labels (1)
Labels
Tags (3)
0 Karma
Reply

POR160893
Builder
‎03-31-2022 05:19 AM

 I am trying to use a subsearch to find the TOTAL value:

POR160893_0-1648729131688.png

But I am now getting the following error:

POR160893_1-1648729173251.png

 


Can you please help?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2022 06:30 AM

Don't do it that way!

| loadjob savedsearch="andrew_nelson:renbe:Asset Registry - Security Agent Mapping" events=false
| stats count(eval(IT_Managed="Yes")) as COMP count as TOTAL
| eval percentage=100*COMP/TOTAL
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2022 02:28 AM 
your search
| stats count(eval(IT_Managed="Yes")) as COMP count as TOTAL
| eval percentage=100*COMP/TOTAL
0 Karma
Reply

Marco_Develops
Path Finder
‎03-30-2022 07:39 AM

Try the following:

 

|base search ...
|stats count(IT_Managed) as TOTAL
|eval IT_Managed= if(IT_Managed == "Yes" , 1,0)
|stats sum(IT_Managed) count as COMP
|eval percentage = COMP/TOTAL* 100
|table COMP percentage

 

 -Marco

Reply

POR160893
Builder
‎03-30-2022 08:14 AM

Thanks.

I ran your query and this is what I got:

POR160893_0-1648653261202.png


I am not sure .....

Tags (1)
0 Karma
Reply

Marco_Develops
Path Finder
‎03-30-2022 08:20 AM

Yes, I forgot a space in the second stats command. After taking a second look I believe that using 1 stats command will work fine. I modified the search

| baseSearch ...
|eval IT_Managed= if(IT_Managed == "Yes" , 1,0)
|stats sum(IT_Managed) count as COMP count(IT_Managed) as TOTAL
|eval percentage = COMP/TOTAL* 100
|table COMP percentage

 

-Marco

Reply

POR160893
Builder
‎03-30-2022 09:00 AM

Thanks but the percentage is incorrect:

POR160893_0-1648656030136.png

 

0 Karma
Reply

Marco_Develops
Path Finder
‎03-30-2022 09:07 AM

Try the following: 

| baseSearch ...
|eval IT_Managed= if(IT_Managed == "Yes" , 1,0)
|stats sum(IT_Managed) count as COMP count(IT_Managed) as TOTAL
|eval percentage = (COMP/TOTAL) * 100
|table COMP percentage

 

If this helped, please accept as solution 🙂 

-Marco 

0 Karma
Reply

POR160893
Builder
‎03-31-2022 01:09 AM

No, still outputting just 100. I think the first eval is incorrect ...

0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...