Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate a percentage from three events

swilson91
New Member
‎03-08-2013 07:01 AM

Hi,

I'm hoping you can help me I currently have a graph that have 3 events lets call them event1, event2 and event3. I want to somehow in the search total these three values and find out the percentage of each of them for example

event1 event2 event3
50 70 20

The searches I have tried so far have not worked I managed to get the total I think but not sure how to find out the percentage of each of the values

"index=test| timechart latest(event1) latest(event2) latest(events) | eventstats count AS total"

Any help would be much appreciated

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-11-2013 05:31 AM

Try something like this if you have a fixed number of events:

... | timechart avg(event1) as event1 avg(event2) as event2 avg(event3) as event3 | addtotals | eval event1 = event1/100*Total | eval event2 = event2/100*Total | eval event3 = event3/100*Total | fields - Total

If you have a large or unknown number of events you can use the http://splunk-base.splunk.com/apps/76026/scale-command to do some wildcard-enabled maths:

... | timechart avg(event*) as event* | addtotals | scale field=Total pattern=^event | scale scale=0.01 pattern=^event round=1 | fields - Total
0 Karma
Reply

swilson91
New Member
‎03-11-2013 05:16 AM

Hi,

My raw data is like:

event1 event2 event3
50 70 20
50 80 20
30 70 20
50 70 10

I want to total the three events and find out what percentage each of them are of the total for example

event1 event2 event3
35.7% 50.0% 14.3%
33.3% 53.3% 13.3%
25.0% 58.3% 16.7%
38.5% 53.8% 7.7%

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-09-2013 04:27 AM

What's your raw data, and what do you want to see in the end? I'm a bit confused by counting the number of rows put out by the timechart in the eventstats.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-08-2013 07:34 AM

You can pipe to a stats and do some eval-in'.

index=test | timechart latest(event1) as evt1 latest(event2) as evt2 latest(events) as evt| eventstats count AS total latest(evt*) as evt*|eval evtperc=evt/total*100|eval evt2perc=evt2/total*100|eval evt3perc=evt3/total*100

0 Karma
Reply

swilson91
New Member
‎03-08-2013 07:56 AM

Like this?

index=test| timechart latest(event1) as evt1 latest(event2) as evt2 latest(events) as evt| eventstats count AS total latest(evt*) as evt*| eval evtperc=evt/total*100|eval evt2perc=evt2/total*100|eval evt3perc=evt3/total*100 | fields evtperc, evt2perc, evt3perc

When I run this it doesn't show the correct fields on the graph?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...