Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate percentage from an event field and lookup field

ashishlal82
Explorer
‎08-05-2016 09:57 AM

I am trying to calculate percentage from a field in my lookup (xyz ) to an event field in splunk (abc). Technically its abc/xyz* 100. Does splunk has a function?

Tags (3)
0 Karma
Reply

sundareshr
Legend
‎08-05-2016 11:24 AM

Try this

index=youreventsindex | stats count by CVE | appendpipe [ | inputlookup lookup.csv | stats count by CVE | rename count as fromLU] | eval perc=tostring(fromLU/count*100, "commas")."%"
0 Karma
Reply

ashishlal82
Explorer
‎08-09-2016 08:54 AM 
index=xyz | stats dc(Name) as totalcve |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve]| eval perc=tostring(totalcve/Totalcve*100,"commas")."%"

Implement the above query. how can I output the result by severity, which is an event field from within the index=xyz

0 Karma
Reply

sundareshr
Legend
‎08-09-2016 01:25 PM

Assuming you have severity field in the csv as well (else, how will you match?) you can do this

index=xyz | stats dc(Name) as totalcve by severity |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve by severity]| eval perc=tostring(totalcve/Totalcve*100,"commas")."%"

OR
If you want to compare % in index by severity vs total in csv, try this

index=xyz | stats dc(Name) as totalcve by severity |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve]| filldown Totalcve | eval perc=tostring(totalcve/Totalcve*100,"commas")."%"
0 Karma
Reply

lguinn2
Legend
‎08-05-2016 10:55 AM

You should be able to do this:

yoursearchhere
| yourlookuphere
| eval percent = round(abc /xyz * 100, 1)

Assuming that your search gives you a numeric field named abc and the lookup gives you a field named xzy, the eval command will create a new field named percent, and will calculate the percentage for every event.

If you want to compute an overall percentage based on a count of the events or some other statistic (which seems to be what some of the commenters were asking), then you might need to use a stats command or something else prior to the eval...

0 Karma
Reply

somesoni2
Revered Legend
‎08-05-2016 10:00 AM

How are the lookup field and splunk's event field related? Do they have a common field value based on which it can be matched?

0 Karma
Reply

ashishlal82
Explorer
‎08-05-2016 10:04 AM

So the event field is a list of CVE's that splunk spit out and the lookup has CVE's from NVD.

0 Karma
Reply

sundareshr
Legend
‎08-05-2016 10:23 AM

Are you wanting to calculate the number of CVEs present in the events vs in the lookup?

0 Karma
Reply

ashishlal82
Explorer
‎08-05-2016 10:25 AM

I have the numbers. just trying to figure out the %. And my question was does splunk has % as function?

0 Karma
Reply

sundareshr
Legend
‎08-05-2016 10:28 AM

There's no built in % function. You will have to do abc/xzy*100. To format you can do tostring(abc/xyz*100, "commas")."%"

0 Karma
Reply

ashishlal82
Explorer
‎08-05-2016 10:46 AM

abc and xyz have same fieldnames one is an event field and other is an lookup. and the y have CVE id, I just need to find the %

0 Karma
Reply

ashishlal82
Explorer
‎08-05-2016 10:48 AM

how can I use the lookup as subsearch to get the count and find the %?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...