Splunk Search

Calculate percentage from an event field and lookup field

Explorer

I am trying to calculate percentage from a field in my lookup (xyz ) to an event field in splunk (abc). Technically its abc/xyz* 100. Does splunk has a function?

Tags (3)
0 Karma

Legend

Try this

index=youreventsindex | stats count by CVE | appendpipe [ | inputlookup lookup.csv | stats count by CVE | rename count as fromLU] | eval perc=tostring(fromLU/count*100, "commas")."%"
0 Karma

Explorer
index=xyz | stats dc(Name) as totalcve |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve]| eval perc=tostring(totalcve/Totalcve*100,"commas")."%" 

Implement the above query. how can I output the result by severity, which is an event field from within the index=xyz

0 Karma

Legend

Assuming you have severity field in the csv as well (else, how will you match?) you can do this

index=xyz | stats dc(Name) as totalcve by severity |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve by severity]| eval perc=tostring(totalcve/Totalcve*100,"commas")."%"

OR
If you want to compare % in index by severity vs total in csv, try this

index=xyz | stats dc(Name) as totalcve by severity |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve]| filldown Totalcve | eval perc=tostring(totalcve/Totalcve*100,"commas")."%"
0 Karma

Legend

You should be able to do this:

yoursearchhere
| yourlookuphere
| eval percent = round(abc /xyz * 100, 1)

Assuming that your search gives you a numeric field named abc and the lookup gives you a field named xzy, the eval command will create a new field named percent, and will calculate the percentage for every event.

If you want to compute an overall percentage based on a count of the events or some other statistic (which seems to be what some of the commenters were asking), then you might need to use a stats command or something else prior to the eval...

0 Karma

Revered Legend

How are the lookup field and splunk's event field related? Do they have a common field value based on which it can be matched?

0 Karma

Explorer

So the event field is a list of CVE's that splunk spit out and the lookup has CVE's from NVD.

0 Karma

Legend

Are you wanting to calculate the number of CVEs present in the events vs in the lookup?

0 Karma

Explorer

I have the numbers. just trying to figure out the %. And my question was does splunk has % as function?

0 Karma

Legend

There's no built in % function. You will have to do abc/xzy*100. To format you can do tostring(abc/xyz*100, "commas")."%"

0 Karma

Explorer

abc and xyz have same fieldnames one is an event field and other is an lookup. and the y have CVE id, I just need to find the %

0 Karma

Explorer

how can I use the lookup as subsearch to get the count and find the %?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!