Char ........Count

Romeo_James · ‎10-05-2018

Example Search:
Index=*
|chart count over Character
|addcoltotals

Example output:

Char ........Count

A.................21
B.................13
C.................54
D.................11
....................99

Is it possible to take the addcoltotals and divide it by the value of C (54/99) using an eval func?

renjith_nair · ‎10-05-2018

@Romeo_James ,

Try,

    index=*
   |chart count over Character
   |eventstats sum(count) as Total
   |addcoltotals
   |eval X=if(Character=="C",count/Total,"")|fields - Total

You can remove the condition, if you want the values for all characters

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎10-05-2018

@Romeo_James ,

Try,

    index=*
   |chart count over Character
   |eventstats sum(count) as Total
   |addcoltotals
   |eval X=if(Character=="C",count/Total,"")|fields - Total

You can remove the condition, if you want the values for all characters

---
What goes around comes around. If it helps, hit it with Karma 🙂

How do I perform eval function on chart values?

Char ........Count

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How do I perform eval function on chart values?

Char ........Count

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0