Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I use the same search but divide the results of one time frame with another?

mcram52
New Member
‎08-09-2019 10:46 AM

How can I use the same search to divide the results of a specific time frame with the total daily sum to get a percentage? My base query would be this:

(index=epackage OR index=dxprd01-epackage) flow_event=Package* 
    | stats sum(numberOfReports)

So basically I'm interested in getting the sum(numberOfReports) from 9-11am, then the sum(numberOfReports) total for the day, then divide the two and multiply by 100 (unless there's an easier way to get the percentage). I have no idea where to even start with this (or if it's even possible) so any help would be fantastic.

Tags (1)
0 Karma
Reply

jpolvino
Builder
‎08-09-2019 10:57 AM

You could "mark" events in your time window:

...
| eval criticalEvent=if(date_hour>=9 and date_hour<11,1,null())
| stats sum(criticalEvent) AS criticalCount count AS totalVolume
| eval percentage=criticalCount/totalVolume*100
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...