Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate percentage from an event field and lookup field

ashishlal82
Explorer
‎08-05-2016 09:57 AM

I am trying to calculate percentage from a field in my lookup (xyz ) to an event field in splunk (abc). Technically its abc/xyz* 100. Does splunk has a function?

Tags (3)
0 Karma
Reply

sundareshr
Legend
‎08-05-2016 11:24 AM

Try this

index=youreventsindex | stats count by CVE | appendpipe [ | inputlookup lookup.csv | stats count by CVE | rename count as fromLU] | eval perc=tostring(fromLU/count*100, "commas")."%"
0 Karma
Reply

ashishlal82
Explorer
‎08-09-2016 08:54 AM 
index=xyz | stats dc(Name) as totalcve |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve]| eval perc=tostring(totalcve/Totalcve*100,"commas")."%"

Implement the above query. how can I output the result by severity, which is an event field from within the index=xyz

0 Karma
Reply

sundareshr
Legend
‎08-09-2016 01:25 PM

Assuming you have severity field in the csv as well (else, how will you match?) you can do this

index=xyz | stats dc(Name) as totalcve by severity |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve by severity]| eval perc=tostring(totalcve/Totalcve*100,"commas")."%"

OR
If you want to compare % in index by severity vs total in csv, try this

index=xyz | stats dc(Name) as totalcve by severity |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve]| filldown Totalcve | eval perc=tostring(totalcve/Totalcve*100,"commas")."%"
0 Karma
Reply

lguinn2
Legend
‎08-05-2016 10:55 AM

You should be able to do this:

yoursearchhere
| yourlookuphere
| eval percent = round(abc /xyz * 100, 1)

Assuming that your search gives you a numeric field named abc and the lookup gives you a field named xzy, the eval command will create a new field named percent, and will calculate the percentage for every event.

If you want to compute an overall percentage based on a count of the events or some other statistic (which seems to be what some of the commenters were asking), then you might need to use a stats command or something else prior to the eval...

0 Karma
Reply

somesoni2
Revered Legend
‎08-05-2016 10:00 AM

How are the lookup field and splunk's event field related? Do they have a common field value based on which it can be matched?

0 Karma
Reply

ashishlal82
Explorer
‎08-05-2016 10:04 AM

So the event field is a list of CVE's that splunk spit out and the lookup has CVE's from NVD.

0 Karma
Reply

sundareshr
Legend
‎08-05-2016 10:23 AM

Are you wanting to calculate the number of CVEs present in the events vs in the lookup?

0 Karma
Reply

ashishlal82
Explorer
‎08-05-2016 10:25 AM

I have the numbers. just trying to figure out the %. And my question was does splunk has % as function?

0 Karma
Reply

sundareshr
Legend
‎08-05-2016 10:28 AM

There's no built in % function. You will have to do abc/xzy*100. To format you can do tostring(abc/xyz*100, "commas")."%"

0 Karma
Reply

ashishlal82
Explorer
‎08-05-2016 10:46 AM

abc and xyz have same fieldnames one is an event field and other is an lookup. and the y have CVE id, I just need to find the %

0 Karma
Reply

ashishlal82
Explorer
‎08-05-2016 10:48 AM

how can I use the lookup as subsearch to get the count and find the %?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...