Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Addtotals - Percentage of 2 total fields as new fi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ronnybruska
New Member
05-09-2018
03:05 AM
Hi there,
i created a table:
Date | Value1 | Value2 | Percentage
The last line should be:
"total" | total of Value1 | total of Value2 | Percentage change of "total of Value1" and "total of Value2"
So i want to calculate two total fields to add a third total field because the last field shouldn't be the total of all percentage.
I already got the first 3 fields but could not find out how to add a second field with addtotals
addtotals col=true row=false "Value1", "Value2", labelfield="Date" label="total"
Is this possible?
Thx!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-09-2018
08:44 AM
How about this instead:
index=_* sourcetype=splunkd component=metrics
| timechart span=1h avg(kb) AS Value1 avg(ev) AS Value2 avg(load_average) AS Peercentage
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution:"
| appendpipe [ stats sum(Value1) AS Value1 sum(Value2) AS Value2 avg(Percentage) AS Percentage ]
| fillnull value="total"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-09-2018
08:44 AM
How about this instead:
index=_* sourcetype=splunkd component=metrics
| timechart span=1h avg(kb) AS Value1 avg(ev) AS Value2 avg(load_average) AS Peercentage
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution:"
| appendpipe [ stats sum(Value1) AS Value1 sum(Value2) AS Value2 avg(Percentage) AS Percentage ]
| fillnull value="total"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ronnybruska
New Member
05-11-2018
12:52 AM
appendpipe did it for me.
I have two combined subsearches (different timeframes) so i had to calculate the percentage for the two totals manually:
index=xxx "search pattern" dvc=xxx earliest="05/07/2018:00:00:00" latest="05/08/2018:00:00:00"
| multikv
| timechart span=30m count as today
| appendcols [ search index=xxx "search pattern" dvc=xxx earliest="04/30/2018:00:00:00" latest="05/01/2018:00:00:00"
| multikv
| timechart span=30m count as yesterday ]
| eval percentage = round((today / yesterday - 1) * 100, 2)
| rename yesterday as "Value1", today as "Value2", percentage as "Percent", _time as "time"
| convert ctime("time")
| table "time", "Value1", "Value2", "Percent"
| appendpipe [ eventstats sum("Value2") as total_today, sum("Value1") as total_yesterday
| eval perc_sum = round((total_today / total_yesterday -1) * 100, 2)
| stats sum("Value1") as "Value1", sum("Value2") as "Value2", values(perc_sum) as "Percent"]
| fillnull value="total"
Thank you very much!
Get Updates on the Splunk Community!
Splunk Observability Cloud | Customer Survey!
If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...
Happy CX Day, Splunk Community!
Happy CX Day, Splunk Community!
CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...
.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas
We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...
