Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I search the count of events and use that value to calculate another field?

joydeep741
Path Finder
‎11-10-2015 10:22 AM

I wish to count the number of events and then use that value to calculate something else.

I tried something like this:

index=dotcom sourcetype=dotcom_access_log status != 2* pid=www.abc.com |
eventstats count as todayTotal |stats count(status) as todayValue by status | eval percent = (todayValue/todayTotal)*100

But todayTotal comes as empty when I use it in eval (though the bold line successfully gets the value of todayTotal).
Please suggest how can i use the value of "total number of events" (todayTotal in the case above).

Reply

woodcock
Esteemed Legend
‎11-20-2015 02:55 AM

Like this:

index=dotcom sourcetype=dotcom_access_log status != 2* pid=www.abc.com|stats count(status) as todayValue by status | eventstats sum(todayValue) AS todayTotal | eval percent = (todayValue/todayTotal)*100
0 Karma
Reply

Runals
Motivator
‎11-10-2015 11:05 AM

Move your eventstats after your stats command and change it to | eventstats sum(todayValue) as todayTotal

0 Karma
Reply

sundareshr
Legend
‎11-10-2015 10:59 AM

Does this give you what you're looking for?

index=dotcom sourcetype=dotcom_access_log pid=www.abc.com | stats count as total count(eval(status!="2*")) as statuscount | eval percent=statuscount/total*100

If you want the percentage for all status > 200 then try this

 index=dotcom sourcetype=dotcom_access_log pid=www.abc.com  status>299 | stats count by status | stats sum(count) as value by status | eventstats sum(value)  as total | eval percent=value/total*100
0 Karma
Reply

DeronJensen
Explorer
‎11-10-2015 10:58 AM

I think the search is losing the field todayTotal when it do the stats command by status. I think the search should do the stats by status, todayTotal which will also keep the todayTotal field in the results so you can calculate the percent field.

...|stats count(status) as todayValue by status,todayTotal | eval percent = (todayValue/todayTotal)*100
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...