Splunk Search

Can you help me do an eval for a percentage of two values in an Xyseries?

New Member

I have my derived tables

| stats count by breached region 
| xyseries region breached  count

REGION NO YES
US 100 25
EU 200 50

I want to do an eval for the percentage of breached as a new column after YES
any ideas?

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@TCK101 instead of using stats followed by xyseries, you can get the same output by using stats with eval. The addtotal command will create a Total field with the total of Yes and No. Then optional foreach can be used to apply template eval (or else you can write two separate evals to calculate Yes % and No %. Try the following search and confirm!

 <yourCurrentSearch>
| stats count(eval(breached=="Yes")) as "Yes" count(eval(breached=="No")) as "No" by region
| addtotals
| foreach "Yes", "No" 
    [| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)] 
| table region "* %"

Following is a run anywhere example based on Splunk's _internal index ( I have reduced the number of results to have the components with both Fail % and Success %):

index=_internal sourcetype=splunkd 
| stats count(eval(log_level=="INFO")) as "SUCCESS" count(eval(log_level!="INFO")) as "FAIL" by component 
| search SUCCESS>0 AND FAIL>0 
| addtotals 
| foreach SUCCESS, FAIL 
    [| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)] 
| sort - "FAIL %" 
| table component "* %"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Splunk Employee
Splunk Employee

hi @tck101

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma

SplunkTrust
SplunkTrust

@TCK101 instead of using stats followed by xyseries, you can get the same output by using stats with eval. The addtotal command will create a Total field with the total of Yes and No. Then optional foreach can be used to apply template eval (or else you can write two separate evals to calculate Yes % and No %. Try the following search and confirm!

 <yourCurrentSearch>
| stats count(eval(breached=="Yes")) as "Yes" count(eval(breached=="No")) as "No" by region
| addtotals
| foreach "Yes", "No" 
    [| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)] 
| table region "* %"

Following is a run anywhere example based on Splunk's _internal index ( I have reduced the number of results to have the components with both Fail % and Success %):

index=_internal sourcetype=splunkd 
| stats count(eval(log_level=="INFO")) as "SUCCESS" count(eval(log_level!="INFO")) as "FAIL" by component 
| search SUCCESS>0 AND FAIL>0 
| addtotals 
| foreach SUCCESS, FAIL 
    [| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)] 
| sort - "FAIL %" 
| table component "* %"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Explorer

Hi there,
I have a similar situation , need to calculate percentage for the below table -
index=x | xyseries hostname compName status

hostname , Comp1 , Comp2, Comp3 , Comp4
x Passed Failed Passed Failed
y Failed Passed Passed Passed

I need another col where percentage of is calculated like (Passed/Passed+Failed)*100 ..how do we achieve it?

0 Karma