Solved: How to chart a percentage from derived search resu... - Splunk Community

Splunk Search

I am new to splunka and have a question on charting percentage field that is derived from search/query result.

Splunk indexed logs:
2013-10-11 17:46:22,539 INFO [com.xxx.yyy] score=891 url_id=200

I would like to chart a % of urls whose score < 100.

I use below query to get list of score count.
host="abc" AND com.xxx.yyy "score" | chart count by score

How can I calculate a percentage of score <100 using splunk?

1 Solution

Solution

Try below query

host="abc" AND com.xxx.yyy | stats count(eval(score<100)) as CountLess, count as Total by date_hour| eval perc=CountLess*100/Total | fields date_hour,perc

View solution in original post

Solution

Try below query

host="abc" AND com.xxx.yyy | stats count(eval(score<100)) as CountLess, count as Total by date_hour| eval perc=CountLess*100/Total | fields date_hour,perc

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...