Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Get percentage between two graph lines over time

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

jizzmaster

Path Finder

โ07-31-2015
12:45 PM

I have two numbers that I am trying to get a percentage out of. One number is a count of total IPs. The other is a count of asset records. I want to know what percentage of total IPs have an asset record. That's "asset/total" for a proportion. Easy enough.

Now the part that is stumping me. I summarize the "asset" number and the "total" number each day into a summary index. So I have a running number for each. I would like to have a graph showing the "total" count, the "asset" count, and a new field, "percentage." How can I have Splunk start at 30 days back, compare these two numbers to create a percentage, then do the same things for days 29-1 and make it into a visual graph?

Here's my current attempt at doing it for just the most recent summary info. Not sure how to approach the 30 days, though.

```
index=summary source="assets" earliest=-1d
|eval proportion=count/[search index=summary source="total" earliest=-1d |return $count]
|table proportion
```

1 Solution

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

bmacias84

Champion

โ07-31-2015
01:04 PM

Not exactly sure what you data looks like but here are two methods I would use.

```
index=summary source="assets" earliest=-1d | table count | appendcols [search index=summary source="total" earliest=-1| rename count as total | fields total] | eval proportion=count/total | table proportion
index=summary source="assets" earliest=-1d | table _time count | join _time [search index=summary source="total" earliest=-1| rename count as total | fields _time total] | eval proportion=count/total | table proportion
```

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

bmacias84

Champion

โ07-31-2015
01:04 PM

Not exactly sure what you data looks like but here are two methods I would use.

```
index=summary source="assets" earliest=-1d | table count | appendcols [search index=summary source="total" earliest=-1| rename count as total | fields total] | eval proportion=count/total | table proportion
index=summary source="assets" earliest=-1d | table _time count | join _time [search index=summary source="total" earliest=-1| rename count as total | fields _time total] | eval proportion=count/total | table proportion
```

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

jizzmaster

Path Finder

โ07-31-2015
01:17 PM