Not sure if I got what you're after, but this may help you
have a play with the options of this command, and it will calculate totals.
For the percentage you need to use the eval command
you can indeed set up new fields on the fly with the rex command if it's a field extraction (you create a new field) and you can also create new fields with the eval command if they are not extractions but transformations
This would be a more straightforward way of getting my percentage. But PSYoungGen and Full GC are just searches, not fields being picked up by Splunk. Can I define them as a field on the fly?
And Full GC is a subset of PSYoungGen, so a minor tweak to your logic above.
yes, could you do a field extraction for those values?that way they could be under the same FIELD. then try this:
sourcetype=gc.log FIELD="PSYoungGen" OR FIELD="Full GC" | stats count(FIELD=="PSYoungGen") AS "GCs", count(FIELD="FullGC") AS "Full_GCs", count AS "Total" ...... and then calculate your percentange
I was assuming that in some events you got this value "PSYoungGen" and in some other you got "Full GC" , if it does not work like that maybe you can still see where I was going with my explanation. Please do not hesitate to ask if you don't understand
Ok, this search worked for me. But I wonder if there is anything more efficient (shorter search sting)
sourcetype=gc.log "PSYoungGen"|stats count as "GCs"|append [ search sourcetype=gc.log "Full GC"|stats count as "FullGCs"]|stats sum(GCs) as GCs,sum(FullGCs) as FullGCs|eval PercentFullGCs=(100*FullGCs/GCs)|eval PercentFullGCs=round(PercentFullGCs,0)|table PercentFullGCs