Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to achieve stats count eval chart?

djoobbani
Path Finder
‎12-06-2022 11:00 AM

Dear Splunk community:

 

I have the following search query:

<BASIC_SEARCH> | chart count by path_template, http_status_code | addtotals fieldname=total
| foreach 2* 3* 4* 5* [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
"<<FIELD>>"=if('<<FIELD>>'=0 , '<<FIELD>>', '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total

Attached is a sample of the current output based on the above search.

I am trying to do the same thing except only show the 500, 502,503 columns (but still do all the calculation based on the total count of everything). How do i change the above search to achieve this?

Thanks,

Daryoush

Labels (1)
Labels
Preview file
152 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2022 01:36 PM

Have you tried removing the unwanted fields?

<BASIC_SEARCH> | chart count by path_template, http_status_code 
| addtotals fieldname=total
| foreach 2* 3* 4* 5* [ eval 
  "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
  "<<FIELD>>"=if('<<FIELD>>'=0 , '<<FIELD>>', '<<FIELD>>'." 
  (".'percent_<<FIELD>>'."%)")] 
| fields - percent_* total 2* 3* 4*
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2022 01:36 PM

Have you tried removing the unwanted fields?

<BASIC_SEARCH> | chart count by path_template, http_status_code 
| addtotals fieldname=total
| foreach 2* 3* 4* 5* [ eval 
  "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
  "<<FIELD>>"=if('<<FIELD>>'=0 , '<<FIELD>>', '<<FIELD>>'." 
  (".'percent_<<FIELD>>'."%)")] 
| fields - percent_* total 2* 3* 4*
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

djoobbani
Path Finder
‎12-06-2022 02:10 PM

Yes this works, thank u very much!

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...