Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to calculate percentages with multiple count function?

homer07
Explorer
‎09-02-2021 12:53 AM

I'm trying to calculate percentages based on the number of events per vary group. There are actually a lot of events, so can't use method like count(eval(...)). The summary of events is as follows:

 

 

 

color
------
green
red
greed
greed
red

 

 

 

 Here's my search so far:

 

 

 

index="test" sourcetype="csv"
| stats count as numColor by color
| eval total=5 
| eval percent=printf("%.2f", (numColor/total)*100)
| sort num(percent)
| table color numColor percent

 

 

 

How do I replace the hardcore variable value "total" with count() function or other methods?
Any help would be appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 02:15 AM

Sorry, my mistake. sum(numColor), not sum(count). You renamed the column in your stats.

| makeresults 
| eval _raw="red
green
red
blue
green
red
red
green" 
| multikv noheader=t
| table Column_1 
| rename Column_1 as color| stats count as numColor by color |eventstats sum(numColor) as totalcolors 
| eval percentage=numColor/totalcolors 
| fields - totalcolors
| fieldformat percentage=round(percentage*100,1)

 

PickleRick_1-1630579139949.png

 

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 01:04 AM

There is probably another way. But I'd do your initial search

index="test" sourcetype="csv"
| stats count as numColor by color

Then I'd add eventstats to have sum of the counts in every row

|eventstats sum(count) as totalcolors

So now you can simply evaluate

| eval percentage=numColor/totalcolors
0 Karma
Reply
Solved! Jump to solution

homer07
Explorer
‎09-02-2021 01:27 AM

I tried your method, but it doesn't seem to work to use two count function in the same search.

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 02:15 AM

Sorry, my mistake. sum(numColor), not sum(count). You renamed the column in your stats.

| makeresults 
| eval _raw="red
green
red
blue
green
red
red
green" 
| multikv noheader=t
| table Column_1 
| rename Column_1 as color| stats count as numColor by color |eventstats sum(numColor) as totalcolors 
| eval percentage=numColor/totalcolors 
| fields - totalcolors
| fieldformat percentage=round(percentage*100,1)

 

PickleRick_1-1630579139949.png

 

Reply
Solved! Jump to solution

homer07
Explorer
‎09-02-2021 03:46 AM

Thanks, it's great!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...