Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Combining stats search results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combining stats search results
I run a search on a field that has multiple values. For example the field quest_name has the following values
quest_name
1 wpad.TASCNET.tasc.com
2 wpad.tascnet.tasc.com
3 wpad.stafford.net
1). I can compute the number of records that exists for each field value with the following search
index=dns* quest_name=wpad* | stats count by quest_name | sort - count
The results are
quest_name count
1 wpad.TASCNET.tasc.com 5777
2 wpad.tascnet.tasc.com 1324
3 wpad.stafford.net 225
2). I can compute the total number of records for all values for quest_name with the following search
index=dns* quest_name=wpad* | stats count(quest_name) AS total
The results are
total
1 9492
3). Now I want to obtain the percentage of each field value in relation to the "total" value using a single search to show the following calculations:
quest_name count percent
1 wpad.TASCNET.tasc.com 5777 5777/9492=
2 wpad.tascnet.tasc.com 1324 1324/9492=
3 wpad.stafford.net 225 225/9492=
This I have not been able to do. Your help is requested. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the diversity of answers.
I now get to know how to use subsearch, join, eventstats.
One note though about the captchas. I have tried to answer much earlier but I have so many captchas.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The top command can definitely give you the result.
index=dns quest_name=wpad* | top limit=0 quest_name
Other option is as below:
index=dns quest_name=wpad | stats count by quest_name | sort - count | eventstats sum(count) as total | eval percent=round(count*100/total,2) | fields - total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Thuan,
Try this
index=dns quest_name=wpad | stats count by quest_name|eval a="a1"|join a[|search index=dns quest_name=wpad | stats count(quest_name) AS total|eval a="a1"|table a,total]|eval percent=(count/total)*100|eval percentage=percent.%|table quest_name,count,percentage
OR you may as look at the below simple one, i guess both give the same result.
index=dns quest_name=wpad*|top quest_name
Thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
