Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- % of total
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-20-2021
06:01 AM
hi I have a table as shown below. I want to get the % of total for each status for previous 6 days. How do i write a query to get the same.
| DATE | Status_1 | Status_2 | Status_3 |
| 2021-05-19 | 14 | 33 | 123 |
| 2021-05-18 | 45 | 12 | 456 |
| 2021-05-17 | 4 | 6 | 213 |
| 2021-05-16 | 5 | 8 | 564 |
| 2021-05-15 | 4 | 9 | 987 |
| 2021-05-14 | 4 | 0 | 543 |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-21-2021
02:23 AM
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _* linecount
| fields - DATE
| addtotals
| addcoltotals labelfield=Result label=Total
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total]
| where Result="Total"
| fields - Percentage_Total
| fields Percentage_*- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-20-2021
06:14 AM
| eventstats sum(Status_*) as Total_*
| foreach Status_*
[| eval Percentage_<<MATCHSTR>>=100*<<FIELD>>/Total_<<MATCHSTR>>]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-20-2021
06:25 AM
Hi,
I am getting an error : Unencoded <
Also, can we please consider the below:
Status_1: A
Status_2: B
Status_3: C
I don't want to use matchstring as there is no wildcard match in my example. That was just an example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-20-2021
11:55 PM
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _raw linecount
| eval _time=DATE
| fields - DATE
| eventstats sum(*) as Total_*
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total_<<FIELD>>]
| rename _time as DATE- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-21-2021
01:00 AM
Hi, your query gives me % total for each field individually on daily basis but can you tell me how to do a % of total for previous 6 days together and not calculate day on day basis. So I just want to return 3 rows for % total of my 3 fields.
Like % A= A/A+B+C *100 ( for all 6 days together and not by individual dates)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-21-2021
01:13 AM
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _raw linecount
| eval _time=DATE
| fields - DATE
| addtotals
| stats sum(*) as *
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total]You can remove Percentage_Total as this will always be 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-21-2021
01:18 AM
Alternatively
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _raw linecount
| eval _time=DATE
| fields - DATE
| addcoltotals
| addtotals
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total]
| where isnull(_time)
| fields - _time- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-21-2021
01:32 AM
Hi @ITWhisperer , thanks for that!! But it is returning 8 rows where i just want below (numbers are hypothetical)
A 96.51
B 3.43
C 0.05
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-21-2021
01:43 AM
8 rows? There should only be one row where the date is null - this is the row generated by the addcoltotals - if you want to be more specific you could do this
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _* linecount
| fields - DATE
| addtotals
| addcoltotals labelfield=Result label=Total
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total]
| where Result="Total"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-21-2021
02:15 AM
I got your point on the ISNULL. Sorry I missed that part.
But the result is giving me extra columns which i dont want
A B C Percentage_A Percentage_B Percentage_C Percentage_Total Total
| 76 | 68 | 2886 | 2.5082508250825084 | 2.2442244224422443 | 95.24752475247524 | 100 | 3030 |
I just want to keep the percentage values
Percentage_A Percentage_B Percentage_C
| 2.5082508250825084 | 2.2442244224422443 | 95.24752475247524 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-21-2021
02:23 AM
| makeresults
| eval _raw="DATE A B C
2021-05-19 14 33 123
2021-05-18 45 12 456
2021-05-17 4 6 213
2021-05-16 5 8 564
2021-05-15 4 9 987
2021-05-14 4 0 543"
| multikv forceheader=1
| fields - _* linecount
| fields - DATE
| addtotals
| addcoltotals labelfield=Result label=Total
| foreach *
[| eval Percentage_<<FIELD>>=100*<<FIELD>>/Total]
| where Result="Total"
| fields - Percentage_Total
| fields Percentage_*- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schou87
Path Finder
05-21-2021
05:36 AM
Awesome!! Thank you @ITWhisperer for your patience with me. 🙂
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Related Topics
Get Updates on the Splunk Community!
Index This | What travels the world but is also stuck in place?
April 2026 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
As data volumes continue to grow and environments become more distributed, managing and optimizing data ...
