Splunk Search

How to calculate percentage during runtime?

neethan
Path Finder

This is give me data in integers, I want calculate percentages.

How can we do it?

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d")
| bin _time span=1d
| chart count(incident_number) as IncidentCount over _time by hasAppBlueprints

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use addtotals to get the total for each time period and evaluate each count field divided by total

| makeresults count=10000
| eval count=random()%100
| eval hasAppBlueprints=mvindex(split("true|false","|"),random()%2)
| eval _time=_time-random()%1000
| bin span=1m _time 
| chart sum(count) as IncidentCount over _time by hasAppBlueprints
| addtotals
| eval false=100*false/Total
| eval true=100*true/Total

neethan
Path Finder

@ITWhisperer  it is giving only per day data, where as i want to do this calculation during runtime. For every each day, it should calculate percentages

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I don't understand - you are getting per day data but you want per day data? What is the difference? Can you give some examples?

Can you share the search query you are using?

0 Karma

neethan
Path Finder

this is my query and i want to show line graph of CBP vs NonCBP with percentages 

Please advise how can achieve it

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d")
| bin _time span=1d
| chart count(incident_number) as IncidentCount over _time by hasAppBlueprints
| eval CBP = round (100*CBP/6737, 2)."%"
| eval NonCBP = round(100*NonCBP/12879, 2)."%"

 

Saved serach is 

index="88292-cbp" source_name=**** platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=88292-cgr source_name=*****   earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))
| table hostname, alert_id, incident_number, correct_host, opened_time, state
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| eval hasAppBlueprints=if(hasAppBlueprints="true","CBP",hasAppBlueprints)
| eval hasAppBlueprints=if(hasAppBlueprints="false","NonCBP",hasAppBlueprints)
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints, state

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

opened_time is already in epoch format due to the strptime in the savedsearch, so you just need to bin it into days

| savedsearch cbp_inc_base
| bin opened_time as _time span=1d
| chart count(incident_number) as IncidentCount over _time by hasAppBlueprints
| eval CBP = round (100*CBP/6737, 2)."%"
| eval NonCBP = round(100*NonCBP/12879, 2)."%"
0 Karma

neethan
Path Finder

this is my query and i want to show line graph of CBP vs NonCBP with percentages 

Please advise how can achieve it

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d")
| bin _time span=1d
| chart count(incident_number) as IncidentCount over _time by hasAppBlueprints
| eval CBP = round (100*CBP/6737, 2)."%"
| eval NonCBP = round(100*NonCBP/12879, 2)."%"

 

Saved serach is 

index="88292-cbp" source_name=**** platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=88292-cgr source_name=*****   earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))
| table hostname, alert_id, incident_number, correct_host, opened_time, state
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| eval hasAppBlueprints=if(hasAppBlueprints="true","CBP",hasAppBlueprints)
| eval hasAppBlueprints=if(hasAppBlueprints="false","NonCBP",hasAppBlueprints)
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints, state

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...