Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me with a percentage calculation in Splunk?

hjsabdjahbd
Observer
‎01-09-2019 06:19 AM

Hello,

I need to do a percentage calculation, but I cannot.

I have the data as follows:

It is just a field named action_group, and inside it, I have only the values "sent", "open", and "click". I need to calculate the percentage of open in relation to sent and click in relation to open.

Jé tried with the eval command in a subsearch, but nothing has worked.

Anyone have any tips on how I can do this?

Thank you!!!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-09-2019 07:48 AM

Try this.

<your search for events that contain action_group> 
| stats count(eval(action_group="sent")) as sent, count(eval(action_group="open")) as open, count(eval(action_group="click")) as click
| eval pctOpen = round((open*100)/sent, 2), pctClick = round((click*100)/open, 2)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-09-2019 07:44 AM

You should provide us with your SPL and exactly what your looking to do. This should be a simple eval like this 

| eval percent = ('sent'+'click')/'open'
0 Karma
Reply

hjsabdjahbd
Observer
‎01-09-2019 07:56 AM

I also thought it would be a simple eval so, however I can not reference the field I want. This example you gave, already tried and it does not bring me any results.

I did not put the query here because I have not been able to develop anything that comes close to what I want.

My source file looks like the following (it is an export from a phishX campaign).
_id action action_group inserted_at ip user.cargo user.country user.departamento user.domain ....

The "action_group" field has the following categories: "sent", for emails that were sent, "open", for emails that were opened and "clicked" for the emails that were clicked. I want to calculate a simple percentage between sent e-mails with the ones that were open and one percentage between open e-mails and clicked ones.

I do not know how to make splunk consider the total of "sent" as the hole total to make the calculation.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-09-2019 08:01 AM

Can you confirm that sent, click, and open are numeric fields? If even 1 of them are non numeric then it will not return results

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...