Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I show the percentage of events that match a criteria?

ashishhsihsa
New Member
‎10-10-2017 09:05 AM

I have the following query which provides me results for every 1 hour and for each mne as single row

index=N sourcetype=APP earliest=-24h (time>5 AND (id=111111 OR id=222222))

| rex field=_raw "^(?\d{4}-\d{2}-\d{2} \d{2}).*time*"
| eval mne=case(id=111111, "FIRST", id=222222,"SECOND") 
| eval resp=case(time>=5 AND time<=2000, "     0 - 2 seconds", time>2000 AND time<=4000, "    2 - 4 seconds", time>4000 AND time<=6000, "   4 - 6 seconds", time>6000 AND time<=8000, "  6 - 8 seconds", time>8000 AND time<=10000, " 8 - 10 seconds", time>10000, "> 10 seconds") 
| eval time_mne=time+":00  "+mne
| chart count over time_mne by resp| addtotals |sort time_mne desc

Output is displayed as - 

time_mne                                |    0-2 seconds   |             2-4 seconds       | Total
2017-10-09 11:00 FIRST                  |      23          |                   12          |  126
2017-10-09 11:00 SECOND                 |       21         |                    16         |   120
2017-10-09 10:00 FIRST                  |       20         |                    18         |  128
2017-10-09 10:00 SECOND                 |       22         |                    15         |  124

What I want to do is - add a percentage for one of the columns based on total E.g.: What percentage of total are under 2-4 seconds ?
How do I do it?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎10-10-2017 11:18 AM

try adding |eval under2_perc=round('0-2 seconds'/Total*100,2)
I'm going to assume, based on the question, that you're looking to divide 0-2 seconds column by Total column. Splunk might have a problem with the 0-2 seconds column name, so you might need to rename it before the eval.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎10-10-2017 11:18 AM

try adding |eval under2_perc=round('0-2 seconds'/Total*100,2)
I'm going to assume, based on the question, that you're looking to divide 0-2 seconds column by Total column. Splunk might have a problem with the 0-2 seconds column name, so you might need to rename it before the eval.

0 Karma
Reply
Solved! Jump to solution

ashishhsihsa
New Member
‎10-10-2017 12:08 PM

How do i display this new variable as a column adjacent to "Total" column ?

0 Karma
Reply
Solved! Jump to solution

ashishhsihsa
New Member
‎10-10-2017 12:13 PM

Never mind got it !!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...