Splunk AppDynamics
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bucketing Series with Math calculation (percentage)

Ade_Suryadiana
Engager
‎07-22-2021 03:00 AM

Hello,

I am struggling to convert total number of metric value from number into percentage of total value, in this case is browser type -- and it should be shown in time series bucket function,

At the moment, I am able to show based on number using following queries in time series (see attached picture)

  •  SELECT series(eventTimestamp, '1m'), count(browser) AS "Firefox" FROM browser_records WHERE browser = "Firefox"
  • SELECT series(eventTimestamp, '1m'), count(browser) AS "Non-Firefox" FROM browser_records WHERE browser != "Firefox"
  • SELECT series(eventTimestamp, '1m'), count(*) AS "Total" FROM browser_records

image.jpeg

However, I am unable to convert it into percentage (%).


I know there is filter function e.g. :

SELECT 100*filter(count(*), browser = "Firefox") / count(*) AS "% Firefox" FROM browser_records

or

SELECT 100*filter(count(*), browser != "Firefox") / count(*) AS "% Non-Firefox" FROM browser_records

BUT it will only return single value, not in time series as I expected.

 image.jpeg

How to combine series bucketing function and filter function to get percentage number browser in time series?

Anyone has experience before?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Hiroki_Ito
Contributor
‎07-26-2021 12:16 AM

Hi @Ade.Suryadiana,

Thank you for posting to the community.

I believe you are just missing series(eventTimestamp, '1m') for percentage query.
Could you try queries like the following?

SELECT series(eventTimestamp, '1m'), 100*filter(count(*), browser = "Firefox") / count(*) AS "% Firefox" FROM browser_records
SELECT series(eventTimestamp, '1m'), 100*filter(count(*), browser != "Firefox") / count(*) AS "% Non-Firefox" FROM browser_records

Best Regards,
Hiroki

View solution in original post

Reply
Solved! Jump to solution
Solution

Hiroki_Ito
Contributor
‎07-26-2021 12:16 AM

Hi @Ade.Suryadiana,

Thank you for posting to the community.

I believe you are just missing series(eventTimestamp, '1m') for percentage query.
Could you try queries like the following?

SELECT series(eventTimestamp, '1m'), 100*filter(count(*), browser = "Firefox") / count(*) AS "% Firefox" FROM browser_records
SELECT series(eventTimestamp, '1m'), 100*filter(count(*), browser != "Firefox") / count(*) AS "% Non-Firefox" FROM browser_records

Best Regards,
Hiroki

Reply
Solved! Jump to solution

Ade_Suryadiana
Engager
‎07-26-2021 08:53 PM

Thank you @Hiroki.Ito , it works.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...