Splunk Search

Can you help me with a stats count that returns a percentage?

jip31
Motivator

Hi,

I use the search below in order to count event number.

I want to do the same calculation, but in percent

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit') 
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)  
| stats dc(Degradation_Time) as Total by File_Name 
| sort -Total limit=10

Could you help me please

0 Karma
1 Solution

jip31
Motivator

My result is the total of degradation time by File_Name. The total is a integer number
Now I want the same in percent
I have done this but I have not the exactly the same result
The first field name in the integer panel is in second position in the percent panel :

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
| stats count by File_Name
| eventstats sum(count) as Total
| eval Percent=round((count/Total)*100,1). " %"
| table File_Name Percent
| sort -Percent limit=10

View solution in original post

0 Karma

jip31
Motivator

My result is the total of degradation time by File_Name. The total is a integer number
Now I want the same in percent
I have done this but I have not the exactly the same result
The first field name in the integer panel is in second position in the percent panel :

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
| stats count by File_Name
| eventstats sum(count) as Total
| eval Percent=round((count/Total)*100,1). " %"
| table File_Name Percent
| sort -Percent limit=10

0 Karma

astatrial
Contributor

What do you mean by "the same calculation in percent" ?
What is your total ? The count of distinct Degradation_Time from all files ? The count of Degradation_Time values from the total number of Degradation_Time ?

Regards ,

0 Karma

jip31
Motivator

it was just an issue in my stats count I close the topic

0 Karma

cvssravan
Path Finder

Hi, you can try top command(by default it will give 10 results, so I haven't used limit):

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
2. | eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
3. | eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)

4. | top Degradation_Time as Total by File_Name

0 Karma

cvssravan
Path Finder

If you want to consider distinct count as well, try this:

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
2. | eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
3. | eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)

4. | stats dc(Degradation_Time) as Total by File_Name
5. | top Total by File_Name

0 Karma

jip31
Motivator

it s not want i want
In my query I count the number of degradation time by file name
I want the same thing in percent.....

0 Karma

cvssravan
Path Finder

Assuming that you are looking for sum(Degradation_Time) by file and then percentage, not count. See my answer below:

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
| stats sum(Degradation_Time) as Degradation_Time_By_File by File_Name
| appendcols
[search eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
| stats sum(Degradation_Time) as Total_Degradation_Time]
| filldown Total_Degradation_Time
| eval Percent_Degradation_Time_By_File =(Degradation_Time_By_File*100)/Total_Degradation_Time

Hope it works

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...