Solved: Re: Calculate percent

C37996518 · ‎08-18-2021

index=Myindex sourcetype=mine mysearch | eval Result=if(Apple="1","Bad","Good")
| stats count by Result

The search above gives me the correct count of events where Apple="1"

eg

Result Count

Bad 5

Good 12392

How do I express the stats as a single value in percentage ie Bad/Good?

How do I alert if the percentage > .02%

bowesmana · ‎08-19-2021

NB: and on a slight technical note to ITWhispers comments, if you're looking for bad as a % of total rather than of goodNB, then

| eval percent=100*Bad/(Bad+Good)

View solution in original post

C37996518 · ‎08-19-2021

@C37996518 wrote:
index=Myindex sourcetype=mine mysearch | eval Result=if(Apple="1","Bad","Good")
| stats count by Result

The search above gives me the correct count of events where Apple="1"
eg
Result Count
Bad 5
Good 12392

How do I express the stats as a single value in percentage ie Bad/Good?
How do I alert if the percentage > .02%

Thanks to both. Perfect!!

bowesmana · ‎08-19-2021

NB: and on a slight technical note to ITWhispers comments, if you're looking for bad as a % of total rather than of goodNB, then

| eval percent=100*Bad/(Bad+Good)

ITWhisperer · ‎08-19-2021

index=Myindex sourcetype=mine mysearch
| eval Bad=if(Apple="1",1,0)
| eval Good=if(Apple="1",0,1)
| stats sum(Bad) as Bad sum(Good) as Good
| eval percent=100*Bad/Good
| where percent>0.02

The last line is for the alert so that you only get results when the percentage is greater than 0.02

Calculate percent

eval

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...