Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate percentage during runtime?

neethan
Path Finder
‎01-27-2022 04:16 AM

This is give me data in integers, I want calculate percentages.

How can we do it?

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d")
| bin _time span=1d
| chart count(incident_number) as IncidentCount over _time by hasAppBlueprints

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-27-2022 04:49 AM

Use addtotals to get the total for each time period and evaluate each count field divided by total

| makeresults count=10000
| eval count=random()%100
| eval hasAppBlueprints=mvindex(split("true|false","|"),random()%2)
| eval _time=_time-random()%1000
| bin span=1m _time 
| chart sum(count) as IncidentCount over _time by hasAppBlueprints
| addtotals
| eval false=100*false/Total
| eval true=100*true/Total
Reply

neethan
Path Finder
‎01-31-2022 12:29 AM

@ITWhisperer  it is giving only per day data, where as i want to do this calculation during runtime. For every each day, it should calculate percentages

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-31-2022 12:36 AM

I don't understand - you are getting per day data but you want per day data? What is the difference? Can you give some examples?

Can you share the search query you are using?

0 Karma
Reply

neethan
Path Finder
‎02-07-2022 09:47 PM

this is my query and i want to show line graph of CBP vs NonCBP with percentages 

Please advise how can achieve it

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d")
| bin _time span=1d
| chart count(incident_number) as IncidentCount over _time by hasAppBlueprints
| eval CBP = round (100*CBP/6737, 2)."%"
| eval NonCBP = round(100*NonCBP/12879, 2)."%"

 

Saved serach is 

index="88292-cbp" source_name=**** platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=88292-cgr source_name=*****   earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))
| table hostname, alert_id, incident_number, correct_host, opened_time, state
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| eval hasAppBlueprints=if(hasAppBlueprints="true","CBP",hasAppBlueprints)
| eval hasAppBlueprints=if(hasAppBlueprints="false","NonCBP",hasAppBlueprints)
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints, state

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2022 11:42 PM

opened_time is already in epoch format due to the strptime in the savedsearch, so you just need to bin it into days

| savedsearch cbp_inc_base
| bin opened_time as _time span=1d
| chart count(incident_number) as IncidentCount over _time by hasAppBlueprints
| eval CBP = round (100*CBP/6737, 2)."%"
| eval NonCBP = round(100*NonCBP/12879, 2)."%"
0 Karma
Reply

neethan
Path Finder
‎02-07-2022 09:44 PM

this is my query and i want to show line graph of CBP vs NonCBP with percentages 

Please advise how can achieve it

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d")
| bin _time span=1d
| chart count(incident_number) as IncidentCount over _time by hasAppBlueprints
| eval CBP = round (100*CBP/6737, 2)."%"
| eval NonCBP = round(100*NonCBP/12879, 2)."%"

 

Saved serach is 

index="88292-cbp" source_name=**** platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=88292-cgr source_name=*****   earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))
| table hostname, alert_id, incident_number, correct_host, opened_time, state
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| eval hasAppBlueprints=if(hasAppBlueprints="true","CBP",hasAppBlueprints)
| eval hasAppBlueprints=if(hasAppBlueprints="false","NonCBP",hasAppBlueprints)
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints, state

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...