I am trying to display the percentage of Total Modems against Total Modems on Card 0.
The XML I am given unfortunately breaks up data from essentially one event into three:
source="C:\\splunk_files\\summary.xml" host="OSSTEST01" index="prtg_cmts" sourcetype="PRTG_API" | rex "(<sensor>)(?<sensor>.*)<" | rex "(<group>)(?<group>.*)<" | rex "(<lastvalue>)(?<value>\d+)\s" | search group="Bertha/Hewitt CMTS" | table _time, group, sensor, value
I have tried running a sub search to get just total modem count, and then compare that to the count of the two other rows, using eventstats, but that was not successful.
Try this
source="C:\\splunk_files\\summary.xml" host="OSSTEST01" index="prtg_cmts" sourcetype="PRTG_API" | rex "(<group>)(?<group>.*)<" | search group="Bertha/Hewitt CMTS" | rex "(<sensor>)(?<sensor>.*)<" | rex "(<lastvalue>)(?<value>\d+)\s" | table _time, group, sensor, value | eventstats sum(value) as Total by _time group | eval Percentage=round(value*100/Total,2)
Updated
If I'm not wrong, it easy to implement by just changing eventstats sum(..
to eventstats max(..
source="C:\\splunk_files\\summary.xml" host="OSSTEST01" index="prtg_cmts" sourcetype="PRTG_API" | rex "(<group>)(?<group>.*)<" | search group="Bertha/Hewitt CMTS" | rex "(<sensor>)(?<sensor>.*)<" | rex "(<lastvalue>)(?<value>\d+)\s" | table _time, group, sensor, value | eventstats max(value) as Total by _time group | eval Percentage=round(value*100/Total,2)
That is helpful. I maybe forgot to mention, the first row is actually the total and the values below it fractional representations of it (they add up to the total).
So in this case:
The first row has the total modems: 126
Upstream 5 has 86 modems online so it has 68% of the modems online
Upstream 6 has 40 modems online so it has 32% of the modems online
So there are 100% of the modems online. That is what I would like to represent in a single value field.