Splunk Search

Calculate percentage

Rotema
Path Finder

Hello,
I have this query:
index=dm counter="Short Equity Loop Duration" | timechart span=1h max(Value),median(Value) by counter | rename "max(Value): Short Equity Loop Duration" AS "Max Values", "median(Value): Short Equity Loop Duration" AS "Median Values"

The total events count is 86,397 - I would like to add a percentage field that count how many events where value below 1000, more then 1000 to 2000, 2001 to 3000 etc...

can any one help?

Thanks,
Rotem

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Run this for "Last 24 hours"

Your base search here with no other commands (pipes)| bucket Value span=1000 | top limit=0 Value

View solution in original post

0 Karma

woodcock
Esteemed Legend

Run this for "Last 24 hours"

Your base search here with no other commands (pipes)| bucket Value span=1000 | top limit=0 Value
0 Karma

woodcock
Esteemed Legend

So you are throwing away your timechart then? I do not understand. Give us some sample events (or intermediary events that you know are good for you) and a mockup of desired final output (stats tab, not visualization tab).

0 Karma

Rotema
Path Finder

Hi,
Thanks for the answer - here is an example event

07/06/2016 06:30:42.149 +0000
collection=DealMonitor
object=DealMonitor
counter="Short Equity Loop Duration"
instance=0
Value=6476

What I'm trying to achieve is that I have time chart (24 hours) that span 1h and show percentages of values that were between:
1-1000
1001-2000
2001-3000
3000.....

Thanks

0 Karma

sundareshr
Legend

Try this

index=dm counter="Short Equity Loop Duration" 
| bin span=1h _time as time
| eventstats count(eval(Value<1000)) as cntBelow count(eval(Value>=1000 AND Value<2001)) as cntBetween count(eval(Value>2000)) as cntAbove count as Total by time counter
| eval percBelow=tostring(cntBelow/Total*100, "commas"), "%")
| eval percBetween=tostring(cntBetween/Total*100, "commas"), "%")
| eval percAbove=tostring(cntAbove/Total*100, "commas"), "%")
| chart values(cnt*) as * (values(perc*) as * over time by counter
| eval time=strftime(time, "%x %X")
| rename ....
0 Karma

jkat54
SplunkTrust
SplunkTrust

index=dm counter="Short Equity Loop Duration"
| eval low=if(Value<1000,low+1,low)
| eval lowperc=(low/count)*100
| eval midlow=if(1000<=Value AND Value<2000,midlow+1,midlow)
| eval midlowperc=(midlow/count)*100
...
| timechart span=1h values(lowperc) AS LowPercentage, values(midlowperc) AS MidLowPercentage, ... max(Value),median(Value) by counter
| rename "max(Value): Short Equity Loop Duration" AS "Max Values", "median(Value): Short Equity Loop Duration" AS "Median Values

Add the other possibilities where I added ...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...