Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Cant generate proper table with percentage and BY ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martinmasif
Explorer
02-27-2020
07:27 AM
Hi! First question and relative newbie, so bear with me! 🙂
I created below query to show the number of missing server ID's per rack. But I can't get the BY clause and percentage calculation to work in the same query.
index=servers
| eval serverId_present=if(isnotnull(serverId), "OK", "Missing server ID")
| stats count as totalServers, count(eval(serverId_present="Missing server ID")) as missingServers
| eval missingPercentage=round(100*missingServers/totalServers, 2)
| chart sum(totalServers), sum(missingServers), sum(missingPercentage) by rack
No results found when using the BY clause at the end of the chart pipe. But when I remove the BY clause, it generates a table with only one row where the missingPercentage is correct.
Resuslts without BY clause:
sum(totalServers) sum(missingServers) sum(missingPercentage)
854043 16326 1.91
So I created a second query to see if that worked instead, but no:
index=servers
| eval serverId_present=if(isnotnull(serverId), "OK", "Missing server ID")
| chart count AS totalServers count(eval(serverId_present="Missing server ID")) AS missingServers count(eval(round(100*missingServers/totalServers,2))) AS missingPercentage by rack
This query generates a table with rows for each rack where all the missingPercentage is just "0". Still a "0" if I remove the BY clause. The BY clause is working though and showing rows for each Instance.
Resuslts with BY clause:
Instance totalOrders totalError missingRate
Rack1 575555 2502 0
Rack2 278488 13824 0
Tried stats command instead of chart but no difference.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jpalacian
Path Finder
02-28-2020
04:03 AM
index=servers
| eval serverId_NOT_present=if(isnotnull(serverId), 0, 1)
| stats count as totalServers, sum(serverId_NOT_present) as missingServers by rack
| eval missingPercentage=round(100*missingServers/totalServers, 2)
| stats sum(totalServers), sum(missingServers), sum(missingPercentage) by rack
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jpalacian
Path Finder
02-28-2020
04:03 AM
index=servers
| eval serverId_NOT_present=if(isnotnull(serverId), 0, 1)
| stats count as totalServers, sum(serverId_NOT_present) as missingServers by rack
| eval missingPercentage=round(100*missingServers/totalServers, 2)
| stats sum(totalServers), sum(missingServers), sum(missingPercentage) by rack
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
02-27-2020
02:24 PM
index=servers
| eval serverId_present=if(isnotnull(serverId), "OK", "Missing server ID")
| stats count as totalServers, count(eval(serverId_present="Missing server ID")) as missingServers by rack
| eval missingPercentage=round(100*missingServers/totalServers, 2)
| rename rack as Instance
| stats sum(totalServers) as totalOrders, sum(missingServers) as totalError, sum(missingPercentage) as missingRate by Instance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martinmasif
Explorer
02-28-2020
03:26 AM
Didn't get that last | as you want? And it's missing the missingRate to get the percentage.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
02-28-2020
03:44 AM
well, Should I make all your query?
Instance totalOrders totalError missingRate
where does these come from?
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
