Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me with a percentage calculation in Splunk?

hjsabdjahbd
Observer
‎01-09-2019 06:19 AM

Hello,

I need to do a percentage calculation, but I cannot.

I have the data as follows:

It is just a field named action_group, and inside it, I have only the values "sent", "open", and "click". I need to calculate the percentage of open in relation to sent and click in relation to open.

Jé tried with the eval command in a subsearch, but nothing has worked.

Anyone have any tips on how I can do this?

Thank you!!!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-09-2019 07:48 AM

Try this.

<your search for events that contain action_group> 
| stats count(eval(action_group="sent")) as sent, count(eval(action_group="open")) as open, count(eval(action_group="click")) as click
| eval pctOpen = round((open*100)/sent, 2), pctClick = round((click*100)/open, 2)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-09-2019 07:44 AM

You should provide us with your SPL and exactly what your looking to do. This should be a simple eval like this 

| eval percent = ('sent'+'click')/'open'
0 Karma
Reply

hjsabdjahbd
Observer
‎01-09-2019 07:56 AM

I also thought it would be a simple eval so, however I can not reference the field I want. This example you gave, already tried and it does not bring me any results.

I did not put the query here because I have not been able to develop anything that comes close to what I want.

My source file looks like the following (it is an export from a phishX campaign).
_id action action_group inserted_at ip user.cargo user.country user.departamento user.domain ....

The "action_group" field has the following categories: "sent", for emails that were sent, "open", for emails that were opened and "clicked" for the emails that were clicked. I want to calculate a simple percentage between sent e-mails with the ones that were open and one percentage between open e-mails and clicked ones.

I do not know how to make splunk consider the total of "sent" as the hole total to make the calculation.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-09-2019 08:01 AM

Can you confirm that sent, click, and open are numeric fields? If even 1 of them are non numeric then it will not return results

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...