Splunk Search
Highlighted

How do I add a new row to my table with percentage and total values?

New Member

Hello

This is my data:

2015-07-24 12:18:05 A=10 B=20 C=30 D=15
2015-07-24 12:18:15 A=20 B=210 C=320 D=150
2015-07-24 12:18:25 A=20 B=210 C=320 D=150
2015-07-24 12:18:35 A=20 B=10 C=30 D=50

I am able to show total in the last row with following search:

index = "localindex" source = "/var/log/localtest.log" | table Column A,B,C,D | addtotals col=t labelfield=Column label=" TOTALS" fieldname="SUM"

I need to show PERCENTAGE in the last row of the table. The value should like (sum(A)/sum(A+B+C+D))*100and this calculation needs to repeat for each column A, B, C, D, and also include the SUM.

Please suggest me how I can do that.

0 Karma
Highlighted

Re: How do I add a new row to my table with percentage and total values?

SplunkTrust
SplunkTrust

Sorry if I misunderstood your question but at the end you want to repeat the same perc value for each column ? Anyway try appendpipe and do the calculation inside. For eg:

index=test|table column  A B C D|addtotals col=t labelfield=column label=" TOTALS" fieldname="SUM"|appendpipe [stats sum(A) as A,sum(B) as B,sum(C) as C,sum(D) as D,sum(SUM) as SUM|eval perc=(A/(A+B+C+D))*100|eval A=perc|eval B=perc|eval C=perc|eval SUM=perc|eval D=perc]|fields - perc

This might not be the result you want but a pointer.

0 Karma
Highlighted

Re: How do I add a new row to my table with percentage and total values?

Motivator

Since you already have the SUM field (I think I always have to play with addtotals manually) from adding A - D your next step is to use the foreach command

index = "localindex" source = "/var/log/localtest.log" | table Column A,B,C,D | addtotals col=t labelfield=Column label=" TOTALS" fieldname="SUM" | foreach A B C D [ eval <<FIELD>>_perc = round((<<FIELD>> / SUM)*100, 1) . " %" ]

You might want to take out the bit where I've added the % sign in case you want to sort by the values and maybe use a fieldformat command. Unfortunately you can't do a foreach on fieldformat. Give that a shot and see if it helps.