Char ........Count

Romeo_James · ‎10-05-2018

Example Search:
Index=*
|chart count over Character
|addcoltotals

Example output:

Char ........Count

A.................21
B.................13
C.................54
D.................11
....................99

Is it possible to take the addcoltotals and divide it by the value of C (54/99) using an eval func?

renjith_nair · ‎10-05-2018

@Romeo_James ,

Try,

    index=*
   |chart count over Character
   |eventstats sum(count) as Total
   |addcoltotals
   |eval X=if(Character=="C",count/Total,"")|fields - Total

You can remove the condition, if you want the values for all characters

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎10-05-2018

@Romeo_James ,

Try,

    index=*
   |chart count over Character
   |eventstats sum(count) as Total
   |addcoltotals
   |eval X=if(Character=="C",count/Total,"")|fields - Total

You can remove the condition, if you want the values for all characters

---
What goes around comes around. If it helps, hit it with Karma 🙂

How do I perform eval function on chart values?

Char ........Count

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

How do I perform eval function on chart values?

Char ........Count

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination