Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you add percentage of total for several columns in a table?

alessandrocicch
Engager
‎10-30-2018 07:41 AM

Hi all,

I'm quite new to Splunk and I'm struggling trying to add percentages to a table that I built from two indexes (sorry if the same question has been already asked, but I didn't find any applicable to my case).

The table I have looks like this:
alt text

What I'm trying to do now is add, for each column, percentages of total: for example Actual_Sept % = 536 /1640 and 1104 / 1640 and so on for all columns

Hope you can help on this,

thanks anyway

Alessandro

Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-30-2018 09:29 AM

@alessandrocicchella,

If you could remove addcoltotals from your search, give this a try

"Your search without addcoltotals (or the last row) " |eventstats sum(*) as sum_*
|foreach * [eval <<FIELD>>_%=<<FIELD>>/sum_<<FIELD>>]|fields - sum_*

If this does not work, please provide the search used to find the current count/values under each field, we shall try alternative/better searches.

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

jlelli
Path Finder
‎10-30-2018 09:33 AM

With the eval command is quite simple to do that; something like:

| eval Percentage= round(100 * Count / Total,2)

However I don't understand how you are using the fields in your table; if i understood correctly the "Actual_Sept" field has in it the values of both the dividend and the divisor. Is that correct?

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-30-2018 09:29 AM

@alessandrocicchella,

If you could remove addcoltotals from your search, give this a try

"Your search without addcoltotals (or the last row) " |eventstats sum(*) as sum_*
|foreach * [eval <<FIELD>>_%=<<FIELD>>/sum_<<FIELD>>]|fields - sum_*

If this does not work, please provide the search used to find the current count/values under each field, we shall try alternative/better searches.

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

alessandrocicch
Engager
‎10-30-2018 09:52 AM

Hi Renjith,
it works great 😄

Thank you very much for your fast and effective help

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...