Splunk Search

Charting a percentage

a212830
Champion

Hi,

How would I chart a percentage of values? I want to count the number of events that match a criteria, and then display in a chart the percentage that match a certain criteria.

Tags (2)
1 Solution

lguinn2
Legend

Try

yoursearchhere |
stats count by criteria | 
eventstats sum(count) as totalCount |
eval percentage=round(count*100/totalCount,1) |
fields - count totalCount |
chart max(percentage) by criteria

In the search above max(percentage) is really sort of a no-op, as there is only one percentage for each criterion. But you can't just give a field name for the Y argument, you have to give a function...

View solution in original post

lguinn2
Legend

Try

yoursearchhere |
stats count by criteria | 
eventstats sum(count) as totalCount |
eval percentage=round(count*100/totalCount,1) |
fields - count totalCount |
chart max(percentage) by criteria

In the search above max(percentage) is really sort of a no-op, as there is only one percentage for each criterion. But you can't just give a field name for the Y argument, you have to give a function...

ChrisG
Splunk Employee
Splunk Employee

lguinn2
Legend

eventstats calculates a statistic (same functions as stats) - and then adds the results as a field to every event. Just do this and you will be able to see it better:

yoursearchhere |
stats count by criteria |
eventstats sum(count) as totalCount

The totalCount field is the same in every event, because it is the overall total.

a212830
Champion

Thanks. Looks like it did the trick - I'm looking at my training manuals and reference sheets, and I don't see eventstats listed anywhere. What does that do?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...