Splunk Search

How can I show the percentage of events that match a criteria?

ashishhsihsa
New Member

I have the following query which provides me results for every 1 hour and for each mne as single row

index=N sourcetype=APP earliest=-24h (time>5 AND (id=111111 OR id=222222))

| rex field=_raw "^(?\d{4}-\d{2}-\d{2} \d{2}).*time*"
| eval mne=case(id=111111, "FIRST", id=222222,"SECOND") 
| eval resp=case(time>=5 AND time<=2000, "     0 - 2 seconds", time>2000 AND time<=4000, "    2 - 4 seconds", time>4000 AND time<=6000, "   4 - 6 seconds", time>6000 AND time<=8000, "  6 - 8 seconds", time>8000 AND time<=10000, " 8 - 10 seconds", time>10000, "> 10 seconds") 
| eval time_mne=time+":00  "+mne
| chart count over time_mne by resp| addtotals |sort time_mne desc

Output is displayed as -

time_mne                                |    0-2 seconds   |             2-4 seconds       | Total
2017-10-09 11:00 FIRST                  |      23          |                   12          |  126
2017-10-09 11:00 SECOND                 |       21         |                    16         |   120
2017-10-09 10:00 FIRST                  |       20         |                    18         |  128
2017-10-09 10:00 SECOND                 |       22         |                    15         |  124

What I want to do is - add a percentage for one of the columns based on total E.g.: What percentage of total are under 2-4 seconds ?
How do I do it?

0 Karma
1 Solution

cmerriman
Super Champion

try adding |eval under2_perc=round('0-2 seconds'/Total*100,2)
I'm going to assume, based on the question, that you're looking to divide 0-2 seconds column by Total column. Splunk might have a problem with the 0-2 seconds column name, so you might need to rename it before the eval.

View solution in original post

0 Karma

cmerriman
Super Champion

try adding |eval under2_perc=round('0-2 seconds'/Total*100,2)
I'm going to assume, based on the question, that you're looking to divide 0-2 seconds column by Total column. Splunk might have a problem with the 0-2 seconds column name, so you might need to rename it before the eval.

0 Karma

ashishhsihsa
New Member

How do i display this new variable as a column adjacent to "Total" column ?

0 Karma

ashishhsihsa
New Member

Never mind got it !!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...