Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change chart count to a percent value?

nikkkc
Path Finder
‎02-25-2016 07:47 AM

I do not know how to change count values to a percentage value and I couldn't find an answer by searching this forum, so maybe someone could help me please? thanks in advance

This is my search:

index=* 
| fields eventDateTime,computerName,name,agentGuid,ID 
| eval _timeepoch = strptime(eventDateTime,"%Y-%m-%d %H:%M")     
| eval myDay = strftime(_timeepoch,"%A")    
| eval myYear = strftime(_timeepoch,"%Y") 
| eval myMonth = strftime(_timeepoch,"%m") 
| where (myDay != "Saturday" AND myDay != "Sunday")  
| lookup Workdays myYear myMonth OUTPUT Days 
| chart count  over computerName by name  
| eval count=round(count*100/(Days*10),4) 
| eval count=if(Servicetime>100,100.0000,Servicetime)

The last two evals were my idea to change the count values, but this does NOT work!Maybe also the lookup value isn't available after the chart function right? How can I do this? 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fdi01
Motivator
‎02-26-2016 01:58 AM

try like :

 index=* 
 | fields eventDateTime,computerName,name,agentGuid,ID 
 | eval _timeepoch = strptime(eventDateTime,"%Y-%m-%d %H:%M")     
 | eval myDay = strftime(_timeepoch,"%A")    
 | eval myYear = strftime(_timeepoch,"%Y") 
 | eval myMonth = strftime(_timeepoch,"%m") 
 | where (myDay != "Saturday" AND myDay != "Sunday")  
 | lookup Workdays myYear myMonth OUTPUT Days 
 | chart count  over computerName by name  | eventstats sum(count) as Total by Days 
 | eval Percent=round(count*100/Total,4) 
 | eval count=if(Servicetime>100,100.0000,Servicetime)

or 

your base search  | stats  count by computerName  name | eventstats sum(count) as Total by Days  | eval Percent=round(count*100/Total,4) | ....

View solution in original post

Reply
Solved! Jump to solution
Solution

fdi01
Motivator
‎02-26-2016 01:58 AM

try like :

 index=* 
 | fields eventDateTime,computerName,name,agentGuid,ID 
 | eval _timeepoch = strptime(eventDateTime,"%Y-%m-%d %H:%M")     
 | eval myDay = strftime(_timeepoch,"%A")    
 | eval myYear = strftime(_timeepoch,"%Y") 
 | eval myMonth = strftime(_timeepoch,"%m") 
 | where (myDay != "Saturday" AND myDay != "Sunday")  
 | lookup Workdays myYear myMonth OUTPUT Days 
 | chart count  over computerName by name  | eventstats sum(count) as Total by Days 
 | eval Percent=round(count*100/Total,4) 
 | eval count=if(Servicetime>100,100.0000,Servicetime)

or 

your base search  | stats  count by computerName  name | eventstats sum(count) as Total by Days  | eval Percent=round(count*100/Total,4) | ....
Reply
Solved! Jump to solution

nikkkc
Path Finder
‎02-26-2016 04:01 AM

Thank you, now you brought me to this final and great result:

my base search | stats count by computerName name,atage
| eval Servicetime=round(count*100/(Days*11),4)
| eval Servicetime=if(Servicetime>100,100.0000,Servicetime)
| fields - Days,count
| chart sum(Servicetime) over computerName by name

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎02-25-2016 08:36 AM

You are correct that the lookup fields would not be available after the stats. The only fields available to you after the stats are count, computerName and name.

If you use the "top" command, you should get a percent field automatically

Hope this helps

0 Karma
Reply
Solved! Jump to solution

nikkkc
Path Finder
‎02-25-2016 11:50 PM

ok thanks, but i cant use the top command because splunk can not know my definition for 100 percent. it depends on the lookup result. is there no way to do this?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...