Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add and divide field results for percentage?

atebysandwich
Path Finder
‎02-13-2023 10:25 AM

I'm trying to figure out the percent of successful authentications from out vulnerability scans. There is a field named IP_Auth_Type and if I do a stats count by for that field I get the following:

  • Unix Failed 
  • Unix Not Attempted
  • Unix Successful
  • Windows Successful

I would like to add all those above-mentioned bullet points; add the Unix Successful and Windows Successful and divide it by the total of all the points. 

This is what I have so far:

| inputlookup vulnresults.csv
| stats sum(Unix Failed) as UnixFailed_sum, sum(Unix Not Attempted) as UnixNotAttempted_sum, sum(Unix Successful) as UnixSuccessful_sum, sum(Windows Successful) as WindowsSuccessful_sum
| eval total=UnixFailed_sum + UnixNotAttempted_sum + UnixSuccessful_sum + WindowsSuccessful_sum
| eval ratio=(UnixSuccessful_sum + WindowsSuccessful_sum) / (total)
| table NA_sum UnixFailed_sum UnixNotAttempted_sum UnixSuccessful_sum WindowsSuccessful_sum total ratio

This doesn't bring any result, so any help would be greatly appreciated. 

Labels (5)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-13-2023 03:06 PM

If it brings NO results,  then there is a problem with some part of the search, often with invalid or incorrect field names.

So, the search seems technically OK, although you don't calculate NA_sum in the table.

If you remove all lines after the stats, do you get the 4 values from stats?

As there is nothing else that is removing data, it has to be that the fields in the lookup are not the ones you are using to calculate the results in the stats.

Note: You can easily calculate total in the stats command by adding the count, i.e.

| stats count as total sum("Unix Failed")...

Note that it's good practice to use quotes round fields with spaces.

 

0 Karma
Reply

atebysandwich
Path Finder
‎02-21-2023 10:29 AM

Hi,

I sent through it all again and still get nothing. The items I'm trying to add and divide are not fields: they are name of results in a field called IP_Auth_Type. I'm sure that makes a difference but I'm not sure how. 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-21-2023 04:24 PM

Please post the search you are running in a <> codeblock and a screenshot of the results, so I can better understand what is occurring

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...