Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you calculate the percentage of log entries that have a specific value in a field out of the total number of entries that have that field defined, bucketed by time?

wtanaka
Explorer
‎08-19-2011 01:30 PM

I have a log where each event can be given a boolean field with:

| eval myfield=case(n > 0, "A", n=0, "B")

So some events have myfield = "A", others have myfield = "B", and others have myfield unset.

I'd like a graph with the X axis being "time" and the Y axis being the percentage of events that have n = "A" -- more specifically, the number of events that have n = "A" divided by number of events that have either (n = "A" or n = "B").

How do I do that?

Tags (1)
Reply

bbingham
Builder
‎08-19-2011 01:46 PM

You can use eval's inside of the functions of the charting modules to check if something is true.

|timechart span=15m count as "Total_Events" count(eval(myfield="a")) as "Total_A" count(eval(myfield="b")) as "Total_B" | eval percent_a=Total_A/Total_Events | eval percent_b=Total_B/Total_Events | fields percent_a,percent_b

If you want to only see a ratio of A to B, simply replace the division of "total_events" with the respective value.

Reply

sideview
SplunkTrust
SplunkTrust
‎08-19-2011 01:39 PM

This should work. 

<your search> | eval myfield=case(n > 0, "A", n=0, "B") | timechart count by myfield | eval total=A+B | eval Aperc=100*A/total | eval Bperc=100*B/total | fields _time Aperc Bperc

Also, for when you have more than two values going on, | addtotals will be more useful to you than | eval total=A+B. (Note that addtotals creates a field called 'Total' and field names are case-sensitive.)

Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...