Solved: How to calculate count and percentage of fields?

indeed_2000 · ‎06-01-2022

hi

need to calculate count and percentage of fields.

orginal post here, the main issue is fields contain space or balnk (2 single quotation

i have spl like below,

| eventstats count as namecount by name
| eventstats count as colorcount by color
| eventstats count as statuscount by status
| eventstats count(name) as nametotal
| eventstats count(color) as colortotal
| eventstats count(status) as statustotal
| eval name=printf("%04u %s %d", 10000-namecount, name, nametotal)
| eval color=printf("%04u %s %d", 10000-colorcount, color, colortotal)
| eval status=printf("%04u %s %d", 10000-statuscount, status, statustotal)
| stats values(name) as name values(color) as color values(status) as status
| eval cname=mvmap(name,10000-tonumber(mvindex(split(name," "),0)))
| eval ccolor=mvmap(color,10000-tonumber(mvindex(split(color," "),0)))
| eval cstatus=mvmap(status,10000-tonumber(mvindex(split(status," "),0)))
| eval pname=mvmap(name,100*(10000-tonumber(mvindex(split(name," "),0)))/tonumber(mvindex(split(name," "),2)))
| eval pcolor=mvmap(color,100*(10000-tonumber(mvindex(split(color," "),0)))/tonumber(mvindex(split(color," "),2)))
| eval pstatus=mvmap(status,100*(10000-tonumber(mvindex(split(status," "),0)))/tonumber(mvindex(split(status," "),2)))
| eval name=mvmap(name,mvindex(split(name," "),1))
| eval color=mvmap(color,mvindex(split(color," "),1))
| eval status=mvmap(status,mvindex(split(status," "),1))
| fields name cname pname color ccolor pcolor status cstatus pstatus

i have some "date" or "color" like this: 'Mon May 30 00:00:00 USDT 2022' or ''

FYI: some of them contain space between Single quotation like this 'Mon May 30 00:00:00 USDT 2022', some of them are empty just has Single quotation like this ''

not show them correcty and won't calculate percentage of them.

current output:

Date cDate %Date Color cColor %Color

'Mon 2 '' 1

'Today' 1 33.0 'red' 2 66.0

expected output:

Date cDate %Date Color cColor %Color

'Mon May 30 00:00:00 USDT 2022' 2 66.66 '' 1 33.3

'Today' 1 33.0 'red' 2 66.0

ITWhisperer · ‎06-02-2022

Use a different delimiter character - try this

| eventstats count as namecount by name
| eventstats count as colorcount by color
| eventstats count as statuscount by status
| eventstats count(name) as nametotal
| eventstats count(color) as colortotal
| eventstats count(status) as statustotal
| eval name=printf("%04u|%s|%d", 10000-namecount, name, nametotal)
| eval color=printf("%04u|%s|%d", 10000-colorcount, color, colortotal)
| eval status=printf("%04u|%s|%d", 10000-statuscount, status, statustotal)
| stats values(name) as name values(color) as color values(status) as status
| eval cname=mvmap(name,10000-tonumber(mvindex(split(name,"|"),0)))
| eval ccolor=mvmap(color,10000-tonumber(mvindex(split(color,"|"),0)))
| eval cstatus=mvmap(status,10000-tonumber(mvindex(split(status,"|"),0)))
| eval pname=mvmap(name,100*(10000-tonumber(mvindex(split(name,"|"),0)))/tonumber(mvindex(split(name,"|"),2)))
| eval pcolor=mvmap(color,100*(10000-tonumber(mvindex(split(color,"|"),0)))/tonumber(mvindex(split(color,"|"),2)))
| eval pstatus=mvmap(status,100*(10000-tonumber(mvindex(split(status,"|"),0)))/tonumber(mvindex(split(status,"|"),2)))
| eval name=mvmap(name,mvindex(split(name,"|"),1))
| eval color=mvmap(color,mvindex(split(color,"|"),1))
| eval status=mvmap(status,mvindex(split(status,"|"),1))
| fields name cname pname color ccolor pcolor status cstatus pstatus

View solution in original post

ITWhisperer · ‎06-02-2022

Use a different delimiter character - try this

| eventstats count as namecount by name
| eventstats count as colorcount by color
| eventstats count as statuscount by status
| eventstats count(name) as nametotal
| eventstats count(color) as colortotal
| eventstats count(status) as statustotal
| eval name=printf("%04u|%s|%d", 10000-namecount, name, nametotal)
| eval color=printf("%04u|%s|%d", 10000-colorcount, color, colortotal)
| eval status=printf("%04u|%s|%d", 10000-statuscount, status, statustotal)
| stats values(name) as name values(color) as color values(status) as status
| eval cname=mvmap(name,10000-tonumber(mvindex(split(name,"|"),0)))
| eval ccolor=mvmap(color,10000-tonumber(mvindex(split(color,"|"),0)))
| eval cstatus=mvmap(status,10000-tonumber(mvindex(split(status,"|"),0)))
| eval pname=mvmap(name,100*(10000-tonumber(mvindex(split(name,"|"),0)))/tonumber(mvindex(split(name,"|"),2)))
| eval pcolor=mvmap(color,100*(10000-tonumber(mvindex(split(color,"|"),0)))/tonumber(mvindex(split(color,"|"),2)))
| eval pstatus=mvmap(status,100*(10000-tonumber(mvindex(split(status,"|"),0)))/tonumber(mvindex(split(status,"|"),2)))
| eval name=mvmap(name,mvindex(split(name,"|"),1))
| eval color=mvmap(color,mvindex(split(color,"|"),1))
| eval status=mvmap(status,mvindex(split(status,"|"),1))
| fields name cname pname color ccolor pcolor status cstatus pstatus

How to calculate count and percentage of fields?

fields

regex

rex

stats

table

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life