- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to calculate percent from distinct count?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm aware of a number of questions on here dealing with percents, including: https://answers.splunk.com/answers/120424/how-to-display-percentage-of-total.html
But I can't figure out how to apply it to my question.
I have browser logs of site sessions, and want to report the % breakdown by device type.
This search gets me a table of device totals (by distinct sessions), but how do i make it a %?
eventtype=pageactions tag=external_traffic session_id=*
| fillnull value=blank devicetype
| stats dc(session_id) as unique_sessions by devicetype
| table devicetype unique_sessions
| addtotals row=f col=t labelfield=devicetype label=total
Actually, ideally I'd like to have two columns (both as %) showing the % of distinct events and the % of all events. That way I can see both what device our visitors are using and if one device is causing more traffic.
I can do that from here (if i could just divide by total)
eventtype=pageactions tag=external_traffic session_id=*
| fillnull value=blank devicetype
| stats dc(session_id) as unique_sessions, count as event_counts by devicetype
| table devicetype unique_sessions event_counts
| addtotals row=f col=t labelfield=devicetype label=total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this? Add up the total using eventstats and then calculate the percentage for each row.
| gentimes start=-500 | eval session_id=random() % 500 | eval device_id = random() % 10 | stats dc(session_id) AS unique_sessions by device_id | eventstats sum(unique_sessions) AS total | eval percent=round((unique_sessions/total)*100,2) | table device_id unique_sessions percent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this? Add up the total using eventstats and then calculate the percentage for each row.
| gentimes start=-500 | eval session_id=random() % 500 | eval device_id = random() % 10 | stats dc(session_id) AS unique_sessions by device_id | eventstats sum(unique_sessions) AS total | eval percent=round((unique_sessions/total)*100,2) | table device_id unique_sessions percent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whoa! thanks.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
