Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: How do i percentage for PROCESSED and STARTED ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do i percentage for PROCESSED and STARTED on below query
index=ciaudit eventname=*
| spath "EventStreamData.response.verificationStatus"
| search "EventStreamData.response.verificationStatus"=PROCESSED OR "EventStreamData.response.verificationStatus"=STARTED
| rename "EventStreamData.response.verificationStatus" as verificationStatus
| stats count by verificationStatus
I got the results like below in a tale formate....! but i need do add percentage for count results ...?
verificationStatus count
PROCESSED 2
STARTED 187
Stated /processed *100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vkari,
You might need to interchange the numerator and denominator to find the % of processed vs started.
Try,
index=ciaudit eventname=*
| spath "EventStreamData.response.verificationStatus"
| search "EventStreamData.response.verificationStatus"=PROCESSED OR "EventStreamData.response.verificationStatus"=STARTED
| rename "EventStreamData.response.verificationStatus" as verificationStatus
| stats count by verificationStatus
| transpose header_field=verificationStatus column_name=perc |eval perc=round((PROCESSED/STARTED)*100,2)
Or if you want to keep the existing format,
index=ciaudit eventname=*
| spath "EventStreamData.response.verificationStatus"
| search "EventStreamData.response.verificationStatus"=PROCESSED OR "EventStreamData.response.verificationStatus"=STARTED
| rename "EventStreamData.response.verificationStatus" as verificationStatus
| stats count by verificationStatus
| eventstats values(eval(if(verificationStatus=="PROCESSED",count,null()))) as _PROCESSED,values(eval(if(verificationStatus=="STARTED",count,null()))) as _STARTED
| eval perc=round((_PROCESSED/_STARTED)*100 ,2)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fist query not help to me second time you gave me and fist one its working fine
i need one more help !
index=audit eventName=501 |“EventStreamData.response.verificationStatus”=PROCESSED then here
| spath "EventStreamData.eventContext.startTime" | search "EventStreamData.eventContext.startTime"="*"
index=audit eventName=503 |"EventStreamData.eventContext.endTime" | search "EventStreamData.eventContext.endTime"="*"
and Stat time and end time average time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this solution answers this question, then do click Accept (and UpVote the other helpful comments and answers). If you have more/different questions, then the appropriate thing to do is to post new questions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If one of the solutions worked, please accept as answer/upvote.
Didnt understand your second question fully but you are
- trying to calculate average time of each "PROCESSED" job
- eventName=501 represents startTime and 503 represents endtime
Is that correct?
Do you have a job id or any other identifier to identify the PROCESSED jobs so that we can find the duration of each job and then an average?
Something similar to
index=audit (eventName=501 OR eventName=503 ) “EventStreamData.response.verificationStatus”=PROCESSED ('EventStreamData.eventContext.startTime'="*" OR 'EventStreamData.eventContext.endTime'="*")
|stats latest('EventStreamData.eventContext.startTime') as starTime,latest('EventStreamData.eventContext.endTime') as endTime bby jobId
|eval duration=endTime-starTime
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vkari
Try this
| makeresults
| eval verificationStatus="PROCESSED", count =2
| append
[| makeresults
| eval verificationStatus="STARTED", count =187]
| eval{verificationStatus} = count
| stats list(PROCESSED) as processed,list(STARTED) as started
| eval percentage = started/processed*100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope it's wont work for me !
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
