Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate percent

C37996518
Explorer
‎08-18-2021 10:10 PM

index=Myindex sourcetype=mine mysearch    | eval Result=if(Apple="1","Bad","Good")
| stats count by Result

 

The search above gives me the correct count of events where Apple="1"

eg

Result                                                 Count

Bad                                                       5 

Good                                                  12392

 

How do I express the stats as a  single value in percentage ie  Bad/Good?

How do I alert  if the percentage  > .02%

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-19-2021 12:29 AM

NB: and on a slight technical note to ITWhispers comments, if you're looking for bad as a % of total rather than of goodNB, then

 

| eval percent=100*Bad/(Bad+Good)

 

View solution in original post

Reply
Solved! Jump to solution

C37996518
Explorer
‎08-19-2021 03:22 AM
@C37996518 wrote:

index=Myindex sourcetype=mine mysearch    | eval Result=if(Apple="1","Bad","Good")
| stats count by Result

 

The search above gives me the correct count of events where Apple="1"

eg

Result                                                 Count

Bad                                                       5 

Good                                                  12392

 

How do I express the stats as a  single value in percentage ie  Bad/Good?

How do I alert  if the percentage  > .02%

Thanks to both. Perfect!!

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-19-2021 12:29 AM

NB: and on a slight technical note to ITWhispers comments, if you're looking for bad as a % of total rather than of goodNB, then

 

| eval percent=100*Bad/(Bad+Good)

 

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-19-2021 12:11 AM 
index=Myindex sourcetype=mine mysearch
| eval Bad=if(Apple="1",1,0)
| eval Good=if(Apple="1",0,1)
| stats sum(Bad) as Bad sum(Good) as Good
| eval percent=100*Bad/Good
| where percent>0.02

The last line is for the alert so that you only get results when the percentage is greater than 0.02

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...