Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I present my search results as a percentage instead of a count?

splunkids75
New Member
‎07-12-2016 02:03 AM

Hi everybody!

My database has to many properties, but important properties to set in my Dashboard starting with "U" (U12A8_TARGETOBJECTSTORENAME, U1708_DOCUMENTTITLE, U1903_ARCHIVALDATE, U2A76_CMSEARCHSCHEMAVERSION, U2D52_ICNAUTORUN, U2E68_ICNCLASSNAME, U3975_TARGETOBJECTCLASSID............)

Currently in my Splunk dashboard, I created a "Bar Panel".

My search is:

* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count | search Property !="U1708_DOCUMENTTITLE"

alt text
My result is perfect, but I prefer to have my result as a percentage, so I want to replace "Count" by "Percentage"...

So I have to replace count by total like:

 percentage = ("U*" * 100) / TOTAL but I don't know how to do that with the "U*"

I define TOTAL like this:

* | stats count(U*) as U*, count(U1708_DOCUMENTTITLE) as TOTAL | transpose | rename column AS Property "row 1" AS Count | SORT -Count | search Property !="U1708_DOCUMENTTITLE"

Do you know how I can do that?

Thanx a lot for answers!

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-12-2016 12:12 PM

Try this search

* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count | eval total=if(Property !="U1708_DOCUMENTTITLE",Count,0) | eventstats sum(total) as total | eval Percentage=round(Count*100/total,2) | search Property !="U1708_DOCUMENTTITLE" | table Property Percentage

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-12-2016 12:12 PM

Try this search

* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count | eval total=if(Property !="U1708_DOCUMENTTITLE",Count,0) | eventstats sum(total) as total | eval Percentage=round(Count*100/total,2) | search Property !="U1708_DOCUMENTTITLE" | table Property Percentage
0 Karma
Reply
Solved! Jump to solution

splunkids75
New Member
‎07-13-2016 01:14 AM

Hi Somesoni2

Thanx for your answer! That work fine but I have a little bug with the result, I search to correct it :
Splunk say that total is 1096 but it's 1068.

Thanx again!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-12-2016 12:04 PM

Add this to the end

... | eval perc=tostring(round((Count*100)/Total, 2), "commas")."%"
0 Karma
Reply
Solved! Jump to solution

splunkids75
New Member
‎07-13-2016 01:13 AM

Hi Sundareshr!

Thanx for your answer!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...