Splunk Search

## Calculate percentage

Path Finder

Hello,
I have this query:
index=dm counter="Short Equity Loop Duration" | timechart span=1h max(Value),median(Value) by counter | rename "max(Value): Short Equity Loop Duration" AS "Max Values", "median(Value): Short Equity Loop Duration" AS "Median Values"

The total events count is 86,397 - I would like to add a percentage field that count how many events where value below 1000, more then 1000 to 2000, 2001 to 3000 etc...

can any one help?

Thanks,
Rotem

Tags (1)
1 Solution
Esteemed Legend

Run this for "Last 24 hours"

``````Your base search here with no other commands (pipes)| bucket Value span=1000 | top limit=0 Value
``````
Esteemed Legend

Run this for "Last 24 hours"

``````Your base search here with no other commands (pipes)| bucket Value span=1000 | top limit=0 Value
``````
Esteemed Legend

So you are throwing away your timechart then? I do not understand. Give us some sample events (or intermediary events that you know are good for you) and a mockup of desired final output (stats tab, not visualization tab).

Path Finder

Hi,
Thanks for the answer - here is an example event

07/06/2016 06:30:42.149 +0000
collection=DealMonitor
object=DealMonitor
counter="Short Equity Loop Duration"
instance=0
Value=6476

What I'm trying to achieve is that I have time chart (24 hours) that span 1h and show percentages of values that were between:
1-1000
1001-2000
2001-3000
3000.....

Thanks

Legend

Try this

``````index=dm counter="Short Equity Loop Duration"
| bin span=1h _time as time
| eventstats count(eval(Value<1000)) as cntBelow count(eval(Value>=1000 AND Value<2001)) as cntBetween count(eval(Value>2000)) as cntAbove count as Total by time counter
| eval percBelow=tostring(cntBelow/Total*100, "commas"), "%")
| eval percBetween=tostring(cntBetween/Total*100, "commas"), "%")
| eval percAbove=tostring(cntAbove/Total*100, "commas"), "%")
| chart values(cnt*) as * (values(perc*) as * over time by counter
| eval time=strftime(time, "%x %X")
| rename ....
``````
SplunkTrust

index=dm counter="Short Equity Loop Duration"
| eval low=if(Value<1000,low+1,low)
| eval lowperc=(low/count)*100
| eval midlow=if(1000<=Value AND Value<2000,midlow+1,midlow)
| eval midlowperc=(midlow/count)*100
...
| timechart span=1h values(lowperc) AS LowPercentage, values(midlowperc) AS MidLowPercentage, ... max(Value),median(Value) by counter
| rename "max(Value): Short Equity Loop Duration" AS "Max Values", "median(Value): Short Equity Loop Duration" AS "Median Values

Add the other possibilities where I added ...

Get Updates on the Splunk Community!

#### .conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

#### Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

#### Troubleshooting the OpenTelemetry Collector

In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...