Solved: How to achieve stats count eval chart?

djoobbani · ‎12-06-2022

Dear Splunk community:

I have the following search query:

<BASIC_SEARCH> | chart count by path_template, http_status_code | addtotals fieldname=total
| foreach 2* 3* 4* 5* [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
"<<FIELD>>"=if('<<FIELD>>'=0 , '<<FIELD>>', '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total

Attached is a sample of the current output based on the above search.

I am trying to do the same thing except only show the 500, 502,503 columns (but still do all the calculation based on the total count of everything). How do i change the above search to achieve this?

Thanks,

Daryoush

richgalloway · ‎12-06-2022

Have you tried removing the unwanted fields?

<BASIC_SEARCH> | chart count by path_template, http_status_code 
| addtotals fieldname=total
| foreach 2* 3* 4* 5* [ eval 
  "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
  "<<FIELD>>"=if('<<FIELD>>'=0 , '<<FIELD>>', '<<FIELD>>'." 
  (".'percent_<<FIELD>>'."%)")] 
| fields - percent_* total 2* 3* 4*

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-06-2022

Have you tried removing the unwanted fields?

<BASIC_SEARCH> | chart count by path_template, http_status_code 
| addtotals fieldname=total
| foreach 2* 3* 4* 5* [ eval 
  "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
  "<<FIELD>>"=if('<<FIELD>>'=0 , '<<FIELD>>', '<<FIELD>>'." 
  (".'percent_<<FIELD>>'."%)")] 
| fields - percent_* total 2* 3* 4*

---
If this reply helps you, Karma would be appreciated.

djoobbani · ‎12-06-2022

Yes this works, thank u very much!

How to achieve stats count eval chart?

eval

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!