Solved: Get percentage of matchin to all events

Simon · ‎07-07-2011

Hi all

I think this will be easy for you guys but I have no clue at the moment 😉

My search is very simple:

sourcetype=access_combined | regex uri="\.(gif|jpg|jpeg|png)$"

With adding

| stats count(_raw)

I get the number of events matching my regex.
How can I get the percentage of events matching my regex to the total number of events of the base search

sourcetype=access_combined

?

Thanks,
Simon

ziegfried · ‎07-07-2011

sourcetype=access_combined | eval request_type=if(match(uri, "\.(gif|jpe?g|png)"),"image", "other") | stats count(eval(request_type="image")) as image_requests count as total | eval img_pct=image_requests/total*100

or simplified:

sourcetype=access_combined | stats count(eval(match(uri, "\.(gif|jpe?g|png)"))) as image_requests count as total | eval img_pct=image_requests/total*100

View solution in original post

ziegfried · ‎07-07-2011

sourcetype=access_combined | eval request_type=if(match(uri, "\.(gif|jpe?g|png)"),"image", "other") | stats count(eval(request_type="image")) as image_requests count as total | eval img_pct=image_requests/total*100

or simplified:

sourcetype=access_combined | stats count(eval(match(uri, "\.(gif|jpe?g|png)"))) as image_requests count as total | eval img_pct=image_requests/total*100

Simon · ‎07-07-2011

Absolutely what I searched for - thanks a lot!

Get percentage of matchin to all events

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases