Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Count the percentage of stats by two fields (not total)?

saksona
Engager
‎09-05-2023 01:17 AM

[search] |stats count by ClientName Outcome

example:

Client1 Positive count

Client1 Negative count

Client2 Positive count

Client2 Negative count

Client 2 Unknown count


How do I get the percentage for each client outcomes?

Client1 Positive count %

Client1 Negative count  %

Client2 Positive count %

Client2 Negative count %

Client2 Unknown count %

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2023 01:20 AM 
[search] |stats count by ClientName Outcome
| eventstats sum(count) as total by ClientName
| eval percent=100*count/total

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2023 01:20 AM 
[search] |stats count by ClientName Outcome
| eventstats sum(count) as total by ClientName
| eval percent=100*count/total
0 Karma
Reply
Solved! Jump to solution

saksona
Engager
‎09-05-2023 01:49 AM

Don't understand what you mean. It does not do anything.
How do I get the result I am asking for?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2023 01:58 AM

What do you mean "it doesn't do anything"? Please share the search and the results

0 Karma
Reply
Solved! Jump to solution

saksona
Engager
‎09-05-2023 02:04 AM

Oh, I see what I did, but not sure, why that works the way it does.

This is what I did:

[search] |stats count as EventCount by ClientName Outcome
| eventstats sum(EventCount) as total by ClientName
| eval percent=100*count/total

 

It works when I do what you said exactly!

Thanks!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2023 02:11 AM

Since you renamed the count field, you have to use the new name n the calculation

[search] |stats count as EventCount by ClientName Outcome
| eventstats sum(EventCount) as total by ClientName
| eval percent=100*EventCount/total
0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...