Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I derive a field based on the existing two...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
I am new to Splunk, and in need of help for below events:
- [testName="MobileExp",experience="FetchOn"]
- [testName="MobileExp",experience="FetchOff"]
- [testName="ProductDesign",experience="A"]
- [testName="ProductDesign",experience="B"]
- [testName="ProductDesign",experience="C"]
- [testName="ProductDesign",experience="B"]
- [testName="ProductDesign",experience="B"]
Using above events, I wanted to derive a field which would have percentage for each "experience" of a "testName". For example, for testName="MobileExp", there are two experiences, each of them appearing exactly once. So, percentage split for the experiences relating to testName="MobileExp" is 50%.
Thank you in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out the answer with the help of @renjith.nair.
The following worked:
"baseSearch"
| eventstats count as testCount by testName
| eventstats count as expTotal by experience
| eval trafficSplit=round((expTotal/testCount)*100,1) | fields - expTotal, testCount
| table testName experience trafficSplit | dedup testName experience trafficSplit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out the answer with the help of @renjith.nair.
The following worked:
"baseSearch"
| eventstats count as testCount by testName
| eventstats count as expTotal by experience
| eval trafficSplit=round((expTotal/testCount)*100,1) | fields - expTotal, testCount
| table testName experience trafficSplit | dedup testName experience trafficSplit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
question: why you are deduping at the end ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did it to remove any duplicate records
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Accept the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@newsplnkr ,
Try
"your base search "|eventstats count by testName,experience
|eventstats sum(count) as total by testName
|eval perc=round((count/total)*100,2)|fields - count,total
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Renjith, unfortunately, the above query does not produce any results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this search, replace the base search as per your data :
| makeresults
| eval Data="testName:MobileExp,experience:FetchOn;testName:MobileExp,experience:FetchOff;testName:ProductDesign,experience:A;testName:ProductDesign,experience:C;testName:ProductDesign,experience:B;testName:ProductDesign,experience:B"
| makemv delim=";" Data
| mvexpand Data
| eval Split1=mvindex(split(Data,","),0)
| eval Split2=mvindex(split(Data,","),1) | eval testName=mvindex(split(Split1,":"),1) | eval experience=mvindex(split(Split2,":"),1) | table _time testName experience | eventstats count as test_count by testName experience | eventstats sum(test_count) as Total by testName | eval perc=(test_count/Total*100)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
