- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I tally a value that represents usage ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a field lets call it usage that can up to 3 of these letters (b, n, e)
i.e. all possible logged permutations we could get are the following
- b
- e
- n
- be
- bn
- en
- ben
I have a chart showing counts of these using | stats count by usage
what would also like to chart is total number of events that had usage with b, with e, and with n.
i.e. how many (and the percent of) events used each letter in any combo
to be able to see usage
b 5
e 170
n 34
and the percent of total events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | rex field=usage "(?<usage_letter>.)"
| multireport
[ stats count AS total_count | eval keep="false" ]
[ stats count BY usage_letter | eval keep="true" ]
| filldown total_count
| where keep="true"
| eval pct = 100 * count / total_count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | rex field=usage "(?<usage_letter>.)"
| multireport
[ stats count AS total_count | eval keep="false" ]
[ stats count BY usage_letter | eval keep="true" ]
| filldown total_count
| where keep="true"
| eval pct = 100 * count / total_count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @woodcock this is great! I wasn't familiar with the multireport command can you explain a bit and also on how the keep is being used? I couldn't find doc on multireport
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not documented but it forks the results at that point and passes a copy to each [] stanza and then appends the results of everything together. Please do click Accept to close the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
would the usage ben be a count of 1 each for b, e, and n and the usage be be counted as one each also so that the total count would be b=2, e=2, n=1?
can you post some of the raw data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes that is correct @marycordova
I can't really post actual events but it's would be similar to the following (I stripped out & edited lots of internal irrelevant stuff )
{"timestamp":"2016-07-11T23:34:35.968Z","thread":"****","level":"INFO",message":"Data CRUD: usage:be, numberOfModl:2"}
{"timestamp":"2016-07-11T23:24:51.671Z","thread":"****","level":"INFO","message":"Data CRUD: usage:b, numberOfModl:4"}
{"timestamp":"2016-07-11T22:56:35.413Z","thread":"****","level":"INFO","message":"Data CRUD: usage:bn, numberOfModl:3"}
{"timestamp":"2016-07-11T21:56:35.113Z","thread":"****","level":"INFO","message":"Data CRUD: usage:ben, numberOfModl:7"}
{"timestamp":"2016-07-11T20:16:35.113Z","thread":"****","level":"INFO","message":"Data CRUD: usage:en, numberOfModl:3"}
etc..
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
