Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Calculate Percentage
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Calculate Percentage
I've been going around in circles on this all day and at this point figured I would post my question here:
sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT | dedup registrar | stats count(registrar) as numviewed by description,registry
This search produces a small table that looks kinda like this:
Description Registry numviewed
Billing Invoice dotblah 3
Daily Auto Renewals dotblah 3
Billing Text dotblah 14
Annual Report dotblah 10
What I'm trying to do is create a percentage based on the numviewed values and a number displayed in a field. The field is:
actualcount 424
So I want to basically have a percent column showing the percent. So 3 out of 424 would be how many percent?
Description Registry numviewed actualcount percent
Billing Invoice dotblah 3 424
Daily Auto Renewals dotblah 3 424
Billing Text dotblah 14 424
Annual Report dotblah 10 424
I tried using eval at the end of this but it didn't do anything and showed no results:
sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT | search description="*" | dedup registrar | stats count(registrar) as numviewed by description,registry | eval percent=(numviewed/registrycount)*100
How can i get the percentage I want?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First make sure you have the count value in a field, so you can include it in eval's calculations. By using eventstats you can do this without losing information that is needed later on in the search pipeline. Then do the eval stuff inline in your stats command. Like this:
sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT search description="*" | dedup registrar | eventstats count by description,registry | stats sum(count) as numviewed,sum(eval(100*numviewed/actualcount)) as percent by description,registry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
actualcount is a static value that is currently in a lookup file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where does actualcount come from - can you calculate it - if so how ? post the search that gives you the value of actualcount
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
