Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add total and percentage column in timechart

jerrysplunk88
Explorer
‎11-10-2020 09:21 PM

Using a simple example: count the number of events for each host name

... | timechart count BY host

> ... | timechart count BY host
> 
> This search produces this results table:
> 
> _time         host1   host2   host3   
> 
> 2018-07-05    1038    27      7      
> 2018-07-06    4981    111     35      
> 2018-07-07    5123    99      45       
> 2018-07-08    5016    112     22

What I want is to add columns to show the total events for that day and the percentage of each http status code.

> _time         host1   host2   host3  host1_percent host2_percent
> 
> 2018-07-05    1038    27      7        92.8          3.1
> 2018-07-06    4981    111     35       94.5          4.5
> 2018-07-07    5123    99      45       95.2          3.2
> 2018-07-08    5016    112     22       96.2          3.2

 

I tried

 ... | timechart count BY host
| eval total= host1 + host2 + host3
| eval host1_percent = host1 / total
| eval host2_percent = host2 / total
| eval host3_percent = host3 / total
| table _time, host1_percent, host2_percent, host3_percent

This works most of the time, but I found out if for certain day, a host was offline (no record for a particular host), then the search doesn't work (return blank results), I have to remove that particular host from the "total = host1 + host2 + host3" to get it to work.

So my question is: is there a way to get the total number of record for for every day (row) without having to add them together, e.g. replace the "total = host1 + host2 + host3" with a count or sum, I tried couple of thing, none of them work.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2020 12:37 AM 
 ... | bin span=1d _time
| stats count BY _time host
| eventstats sum(count) as total by _time
| eval percent = count / total
| chart values(percent) by _time host

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2020 12:37 AM 
 ... | bin span=1d _time
| stats count BY _time host
| eventstats sum(count) as total by _time
| eval percent = count / total
| chart values(percent) by _time host
Reply
Solved! Jump to solution

jerrysplunk88
Explorer
‎11-11-2020 05:19 PM

Thanks, this works!

I found another solution which is to use addtotal

| timechart count by host
| addtotals row=true fieldname=total host*

 

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...