Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- % of total
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-20-2021
06:01 AM
hi I have a table as shown below. I want to get the % of total for each status for previous 6 days. How do i write a query to get the same.
| DATE | Status_1 | Status_2 | Status_3 |
| 2021-05-19 | 14 | 33 | 123 |
| 2021-05-18 | 45 | 12 | 456 |
| 2021-05-17 | 4 | 6 | 213 |
| 2021-05-16 | 5 | 8 | 564 |
| 2021-05-15 | 4 | 9 | 987 |
| 2021-05-14 | 4 | 0 | 543 |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-21-2021
02:23 AM
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _* linecount
| fields - DATE
| addtotals
| addcoltotals labelfield=Result label=Total
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total]
| where Result="Total"
| fields - Percentage_Total
| fields Percentage_*- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-20-2021
06:14 AM
| eventstats sum(Status_*) as Total_*
| foreach Status_*
[| eval Percentage_<<MATCHSTR>>=100*<<FIELD>>/Total_<<MATCHSTR>>]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-20-2021
06:25 AM
Hi,
I am getting an error : Unencoded <
Also, can we please consider the below:
Status_1: A
Status_2: B
Status_3: C
I don't want to use matchstring as there is no wildcard match in my example. That was just an example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-20-2021
11:55 PM
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _raw linecount
| eval _time=DATE
| fields - DATE
| eventstats sum(*) as Total_*
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total_<<FIELD>>]
| rename _time as DATE- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-21-2021
01:00 AM
Hi, your query gives me % total for each field individually on daily basis but can you tell me how to do a % of total for previous 6 days together and not calculate day on day basis. So I just want to return 3 rows for % total of my 3 fields.
Like % A= A/A+B+C *100 ( for all 6 days together and not by individual dates)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-21-2021
01:13 AM
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _raw linecount
| eval _time=DATE
| fields - DATE
| addtotals
| stats sum(*) as *
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total]You can remove Percentage_Total as this will always be 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-21-2021
01:18 AM
Alternatively
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _raw linecount
| eval _time=DATE
| fields - DATE
| addcoltotals
| addtotals
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total]
| where isnull(_time)
| fields - _time- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-21-2021
01:32 AM
Hi @ITWhisperer , thanks for that!! But it is returning 8 rows where i just want below (numbers are hypothetical)
A 96.51
B 3.43
C 0.05
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-21-2021
01:43 AM
8 rows? There should only be one row where the date is null - this is the row generated by the addcoltotals - if you want to be more specific you could do this
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _* linecount
| fields - DATE
| addtotals
| addcoltotals labelfield=Result label=Total
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total]
| where Result="Total"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-21-2021
02:15 AM
I got your point on the ISNULL. Sorry I missed that part.
But the result is giving me extra columns which i dont want
A B C Percentage_A Percentage_B Percentage_C Percentage_Total Total
| 76 | 68 | 2886 | 2.5082508250825084 | 2.2442244224422443 | 95.24752475247524 | 100 | 3030 |
I just want to keep the percentage values
Percentage_A Percentage_B Percentage_C
| 2.5082508250825084 | 2.2442244224422443 | 95.24752475247524 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-21-2021
02:23 AM
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _* linecount
| fields - DATE
| addtotals
| addcoltotals labelfield=Result label=Total
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total]
| where Result="Total"
| fields - Percentage_Total
| fields Percentage_*- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-21-2021
05:36 AM
Awesome!! Thank you @ITWhisperer for your patience with me. 🙂
Related Topics
Get Updates on the Splunk Community!
Join Us for Splunk University and Get Your Bootcamp Game On!
If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
