Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I turn a single value number into a percentage?

jhilton90
Path Finder
‎11-30-2022 03:49 AM

So I'm trying to turn a single value number into a percentage but the code just returns a number still.

Here's my code

index="keycloak" "MFA" 
mfa="MFA code issued" OR (mfa="MFA challenge issued")
| stats count AS Total count(eval(mfa="MFA code issued")) AS MFA_code_issued
| eval Percentage=round(((MFA_code_issued/Total)*100),2)
| table MFA_code_issued Percentage

Just to give some context:

MFA challenge issued = The number of challenges issued to customers to ask them whether they want to receive a OTP code via SMS or Email
MFA code issued = The number of OTP codes that have actually been issued to customers

So my colleagues have asked for the percentage of MFA codes issued

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2022 06:25 AM 
index="keycloak" "MFA" 
mfa="MFA code issued" OR (mfa="MFA challenge issued")
| stats count(eval(mfa="MFA code issued")) AS MFA_code_issued count(eval(mfa="MFA challenge issued")) AS MFA_challenge_issued
| eval Percentage=((MFA_code_issued/MFA_challenge_issued)*100)
| eval Percentage=round('Percentage', 2)." %"

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-30-2022 04:06 AM

A percentage is a number, it represents the number of times out of 100 that the thing being counted has occurred out of the total.

Having said that, your total calculation will include the "MFA challenge issued" events as well as the "MFA code issued" events, so if you always issue a challenge and only sometimes issue a code, your percentage is always going to be less than 50%. Perhaps you should be counting the challenges and the codes and determining the percentage of challenges that a code is issued for?

0 Karma
Reply
Solved! Jump to solution

jhilton90
Path Finder
‎12-01-2022 03:41 AM

So I should have been a bit clearer with this, that's my fault

So I want to find the percentage of MFA code issued compared to the number of MFA challenges issued. For example if 1000 MFA challenges have been issued and then 750 MFA codes have been issued then I know that 75% of people have chosen to receive an MFA code instead of abandoning the journey.

So I updated my query to this

index="keycloak" "MFA" 
mfa="MFA code issued" OR (mfa="MFA challenge issued")
| stats count AS Total count(eval(mfa="MFA code issued")) AS MFA_code_issued
| stats count AS Total count(eval(mfa="MFA challenge issued")) AS MFA_challenge_issued
| eval Percentage=((MFA_code_issued/MFA_challenge_issued)*100)
| eval Percentage=round('Percentage', 2)." %"
| stats count

However, that now returns a value of 1

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2022 06:25 AM 
index="keycloak" "MFA" 
mfa="MFA code issued" OR (mfa="MFA challenge issued")
| stats count(eval(mfa="MFA code issued")) AS MFA_code_issued count(eval(mfa="MFA challenge issued")) AS MFA_challenge_issued
| eval Percentage=((MFA_code_issued/MFA_challenge_issued)*100)
| eval Percentage=round('Percentage', 2)." %"
Reply
Solved! Jump to solution

jhilton90
Path Finder
‎12-01-2022 07:20 AM

Sorry I marked as the solution by accident. I tried your code but it just returns the number as if you were just using a stats count query

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-01-2022 07:23 AM

But @ITWhisperer 's solution should do precisely what you described - count number of requests, count number of issued MFAs and calculate percentage.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-30-2022 04:05 AM

Hi @jhilton90,

you search should retuning a number that's the percentage you're calculating.

What's the problem, maybe do you need to have the "%" char after the number?

if this is your need, you can use

index="keycloak" "MFA" 
mfa="MFA code issued" OR (mfa="MFA challenge issued")
| stats count AS Total count(eval(mfa="MFA code issued")) AS MFA_code_issued
| eval Percentage=round(((MFA_code_issued/Total)*100),2)." %"
| table MFA_code_issued Percentage

Or if you're using a Single Value Panel, you can add the perc to the panel.

If instead you mean something else, please describe your need with other details.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jhilton90
Path Finder
‎12-01-2022 07:51 AM

Nevermind ive sorted it! 🙂

0 Karma
Reply
Solved! Jump to solution

jhilton90
Path Finder
‎12-01-2022 07:46 AM

How would I add the percentage as a single value?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-01-2022 10:58 PM

Hi @jhilton90,

you have to modify your search putting in table only the Percentage field and then save it as a Dashboard Single Value Panel.

In this case, you don't need to add "%" to the output but you can put it in the panel.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...