Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Counting results with versus without a term and graphing number as percentage for each day

gbolcer
Explorer
‎01-21-2011 08:36 PM

I have 2,894 events when I do a search for everything in my index.

When a do a search for a subset of things with an added search term, I get 49.

So for that time period of everything, I want to be able to show a 1.6% out of 100% graph.

Further, I want for each day (24 hour period) to calculate the number of times a term shows up in events divided by the total events to show up as a daily 0-100% graph.

Ideas?

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-21-2011 10:17 PM

The most efficient way for a whole index would be:

mysearchterm 
| stats count 
| eval [ eventcount | rename count as totalcount | format "" "" "" "" "" "" ] 
| eval pct=100*(count/totalcount)

But this is hacky and skeevy and not generalizable to get daily counts and percentages

More generally, the best way to get your would be to do:

* | timechart span=1d 
    count as totalcount
    count(eval(searchmatch("mysearchterm"))) as count 
  | eval pct=100*(count/totalcount)

Of course, you could modify your the part in the eval(...) and use a different function if that's more suitable: http://www.splunk.com/base/Documentation/4.1.12/SearchReference/CommonEvalFunctions

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-21-2011 10:22 PM

Additionally, if you're doing this frequently, you should considering building and storing a summary index of the daily event counts rather than having to retrieve and count every event each time your run the query.

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎01-21-2011 08:48 PM

I wouldn't think that this would scale particularly well, since you're going to be running a global search, and if you get to tens or hundreds of thousands of events, it'll get very slow. But for small numbers you could use:

search | stats count as TotalCount | appendcols [search foo | stats count as SubsetCount] | eval Perc = round((SubsetCount/TotalCount)*100,2) | fields Perc

For the daily graph, you could put the above in a summary index and then just query that. If you wanted to do it on the fly, you could go for:

search | timechart count as TotalCount span=1d | join _time [search foo | timechart count as SubsetCount span=1d] | eval Perc = round((SubsetCount/TotalCount)*100,2) | fields - TotalCount, SubsetCount

Hope that helps.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...