Splunk Search

Get percentage of matchin to all events

Contributor

Hi all

I think this will be easy for you guys but I have no clue at the moment ๐

My search is very simple:

``````sourcetype=access_combined | regex uri="\.(gif|jpg|jpeg|png)\$"
``````

``````| stats count(_raw)
``````

I get the number of events matching my regex.
How can I get the percentage of events matching my regex to the total number of events of the base search

``````sourcetype=access_combined
``````

?

Thanks,
Simon

Tags (4)
1 Solution
Influencer
``````sourcetype=access_combined | eval request_type=if(match(uri, "\.(gif|jpe?g|png)"),"image", "other") | stats count(eval(request_type="image")) as image_requests count as total | eval img_pct=image_requests/total*100
``````

or simplified:

``````sourcetype=access_combined | stats count(eval(match(uri, "\.(gif|jpe?g|png)"))) as image_requests count as total | eval img_pct=image_requests/total*100
``````
Influencer
``````sourcetype=access_combined | eval request_type=if(match(uri, "\.(gif|jpe?g|png)"),"image", "other") | stats count(eval(request_type="image")) as image_requests count as total | eval img_pct=image_requests/total*100
``````

or simplified:

``````sourcetype=access_combined | stats count(eval(match(uri, "\.(gif|jpe?g|png)"))) as image_requests count as total | eval img_pct=image_requests/total*100
``````
Contributor

Absolutely what I searched for - thanks a lot!