- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me do an eval for a percentage of two...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have my derived tables
| stats count by breached region
| xyseries region breached count
REGION NO YES
US 100 25
EU 200 50
I want to do an eval for the percentage of breached as a new column after YES
any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@TCK101 instead of using stats followed by xyseries, you can get the same output by using stats with eval. The addtotal command will create a Total field with the total of Yes and No. Then optional foreach can be used to apply template eval (or else you can write two separate evals to calculate Yes % and No %. Try the following search and confirm!
<yourCurrentSearch>
| stats count(eval(breached=="Yes")) as "Yes" count(eval(breached=="No")) as "No" by region
| addtotals
| foreach "Yes", "No"
[| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)]
| table region "* %"
Following is a run anywhere example based on Splunk's _internal index ( I have reduced the number of results to have the components with both Fail % and Success %):
index=_internal sourcetype=splunkd
| stats count(eval(log_level=="INFO")) as "SUCCESS" count(eval(log_level!="INFO")) as "FAIL" by component
| search SUCCESS>0 AND FAIL>0
| addtotals
| foreach SUCCESS, FAIL
[| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)]
| sort - "FAIL %"
| table component "* %"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @tck101
Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@TCK101 instead of using stats followed by xyseries, you can get the same output by using stats with eval. The addtotal command will create a Total field with the total of Yes and No. Then optional foreach can be used to apply template eval (or else you can write two separate evals to calculate Yes % and No %. Try the following search and confirm!
<yourCurrentSearch>
| stats count(eval(breached=="Yes")) as "Yes" count(eval(breached=="No")) as "No" by region
| addtotals
| foreach "Yes", "No"
[| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)]
| table region "* %"
Following is a run anywhere example based on Splunk's _internal index ( I have reduced the number of results to have the components with both Fail % and Success %):
index=_internal sourcetype=splunkd
| stats count(eval(log_level=="INFO")) as "SUCCESS" count(eval(log_level!="INFO")) as "FAIL" by component
| search SUCCESS>0 AND FAIL>0
| addtotals
| foreach SUCCESS, FAIL
[| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)]
| sort - "FAIL %"
| table component "* %"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I have a similar situation , need to calculate percentage for the below table -
index=x | xyseries hostname compName status
hostname , Comp1 , Comp2, Comp3 , Comp4
x Passed Failed Passed Failed
y Failed Passed Passed Passed
I need another col where percentage of is calculated like (Passed/Passed+Failed)*100 ..how do we achieve it?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
