Solved: How to calculate average and percentage for fields...

ranjitbrhm1 · ‎04-30-2018

Good Day splunkers. I have a query where i want to calculate the number of times a name came on the field, the average times the name was used and the percentage of the name in the field. (The below is truncated for understanding)

splunkd 12,786  1.1%    
Apache#1    12,094  1.041%  
splunk-perfmon  11,788  1.015%  
java#3  11,684  1.006%  
rotatelogs  11,452  0.986%  
svchost#4   11,409  0.982%  
perl    11,078  0.954%  
emagent 10,821  0.931%  
Tomcat7 10,309  0.887%  
splunk-regmon   10,274  0.884%

If the field values were numeric I could have counted and summed and created the avg. but when the field value names like above how do I go forward? I have done something similar once with eval but I can't seem to figure this out.
Thanks

TISKAR · ‎05-01-2018

Can you try this please:

<YourBaseSearch>| stats count by name | eventstats sum(count)  as tot | eval pers=round(100*count/tot,2).%

For avg you want calcul the avg by what?

View solution in original post

TISKAR · ‎05-01-2018

Can you try this please:

<YourBaseSearch>| stats count by name | eventstats sum(count)  as tot | eval pers=round(100*count/tot,2).%

For avg you want calcul the avg by what?

akarivaratharaj · ‎06-28-2018

How to find out count and average of a text based field for every 1 minute of time span

FrankVl · ‎05-01-2018

Try something like this:

...your search here...
| eventstats count as namecount by name
| eventstats count as totalcount
| eval percentage=(namecount/totalcount)*100
| fieldformat percentage=percentage."%"

How to calculate average and percentage for fields with only names?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life