Splunk Search

Get percentage after case and stats calculations

dwong2
New Member

...search
| eval Type=case(like(publishId,"%U"),"UnSubscribed",like(publishId,"%S"),"Subscribed")
| stats dc(accountExId) as TotalAccounts count(tile) as count by Type

How do I get a percentage after the above results?
If Subscribed: eval round(count/TotalAccounts*100,2)
If UnSubscribed: eval round(count/totalAccounts*100,2)

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

...search
| eval Type=case(like(publishId,"%U"),"UnSubscribed",like(publishId,"%S"),"Subscribed") 
| stats dc(accountExId) as TotalAccounts count(tile) as count by Type
| eval Percentage=round(count/TotalAccounts*100,2)

View solution in original post

0 Karma

somesoni2
Revered Legend

Try like this

...search
| eval Type=case(like(publishId,"%U"),"UnSubscribed",like(publishId,"%S"),"Subscribed") 
| stats dc(accountExId) as TotalAccounts count(tile) as count by Type
| eval Percentage=round(count/TotalAccounts*100,2)
0 Karma

dwong2
New Member

Just checked the calculations and something is off with my calc's..
For the count(tile) as count by Type:
...this is the data:
accountId=12345678
tile=tile1

accountId=87654321
tile=tile2

accountId=12345678
tile=tile3

How can I get the distinct count for accountId? For the above example, I only want to count accountId twice because all I care about is if the accountId has at least one entry for tile... so the count should be only 2.

0 Karma

dwong2
New Member

Didn't know that the eval Percentage would calculate for both Subscribed and UnSubscribed with one statement. Thought that I would have to explicitly call it out. Anyways, works like a charm. Thank You!

0 Karma

somesoni2
Revered Legend

Yes.. with stats command, both values are coming under single field 'Type', so single eval (which is done for each row) is sufficient.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...