Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate Percentage

gnovak
Builder
‎09-24-2012 02:57 PM

I've been going around in circles on this all day and at this point figured I would post my question here:

sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT | dedup registrar | stats count(registrar) as numviewed by description,registry

This search produces a small table that looks kinda like this:

Description     Registry    numviewed
Billing Invoice     dotblah     3
Daily Auto Renewals dotblah     3
Billing Text        dotblah     14
Annual Report       dotblah     10

What I'm trying to do is create a percentage based on the numviewed values and a number displayed in a field. The field is:

actualcount     424

So I want to basically have a percent column showing the percent. So 3 out of 424 would be how many percent?

Description     Registry    numviewed  actualcount  percent
Billing Invoice     dotblah     3       424 
Daily Auto Renewals dotblah     3       424
Billing Text        dotblah     14      424
Annual Report       dotblah     10      424

I tried using eval at the end of this but it didn't do anything and showed no results:

sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT | search description="*" | dedup registrar | stats count(registrar) as numviewed by description,registry | eval percent=(numviewed/registrycount)*100

How can i get the percentage I want?

Tags (1)
0 Karma
Reply

Ayn
Legend
‎09-25-2012 07:21 AM

First make sure you have the count value in a field, so you can include it in eval's calculations. By using eventstats you can do this without losing information that is needed later on in the search pipeline. Then do the eval stuff inline in your stats command. Like this:

sourcetype="EPPWEB" source="/opt/log/dotblah/web_server/info.log" OR source="/opt/log/dotblah/*/web_server/info.log" WAT search description="*" | dedup registrar | eventstats count by description,registry | stats sum(count) as numviewed,sum(eval(100*numviewed/actualcount)) as percent by description,registry
Reply

gnovak
Builder
‎09-25-2012 07:03 AM

actualcount is a static value that is currently in a lookup file

0 Karma
Reply

jonuwz
Influencer
‎09-25-2012 02:45 AM

Where does actualcount come from - can you calculate it - if so how ? post the search that gives you the value of actualcount

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...