Solved: How to (chart / graph) the percentage of two strin...

sjringo · ‎09-08-2021

This is the query that I am starting with:

index=index sourcetype=logs StringA

| stats count as A

| appendcols [search index=index sourcetype=logs StringB | stats count as B]

| eval percentage = (A / B) * 100

This works with no problems and returns the percentage as expected for the time period selected in the Splunk search.

What I am trying to do is to produce a timechart that will graph the percentage over time.

I now have 2 queries that each produce a timechart for each individual part of the equation:

index=index sourcetype=logs StringA | timechart span=4h count by StringA

index=index sourcetype=logs StringB | timechart span=4h count by StringB

What I am attempting to do is to produce a timechart that is the percentage value?

eval percentage = (StringA/StringB) * 100

but when I try to put the two above searches into a single query Splunk shows the results of the first eval ?

index=index sourcetype=logs ("StringA" OR "StringB")
| eval type=case(like(_raw, "%StringA%"), A, like(_raw, "%sStringB%"), B)
| eval percentage=round((A / B)*100,1)

| fields -A,B

| timechart count by percentage span=4h

sjringo · ‎09-08-2021

Yes it is and after adding quotes I do get a percentage.

I added one last line for the visualizations to show up correctly:

| fields + _time, percentage

Thanks for everyone's help I have been banging my head for several weeks !!!

View solution in original post

sjringo · ‎09-08-2021

Ok, here is what I have now. In the results statistics it appears I am seeing the total of A&B and not a percentage.

index=index sourcetype=logs ("StringA" OR "StringB")

| eval type=case(like(_raw, "%StringA%"), A, like(_raw, "%StringB%"), B)

| timechart span=1h count by type

| eval percentage=round((A/B)*100,2)

Results

4 hours ago

10:00 | 976

11:00 | 1074

12:00 | 1038

13:00 | 1036

14:00 | 2

ITWhisperer · ‎09-08-2021

Is it a typo that you don't have A and B in quotes?

| eval type=case(like(_raw, "%StringA%"), "A", like(_raw, "%StringB%"), "B")

sjringo · ‎09-08-2021

Yes it is and after adding quotes I do get a percentage.

I added one last line for the visualizations to show up correctly:

| fields + _time, percentage

Thanks for everyone's help I have been banging my head for several weeks !!!

PickleRick · ‎09-08-2021

Well, you need stats over time that have two columns - one for count A and second for count B, right?

You can approach it from at least two separate ways.

One possible solution is the one you're getting close to. The idea of checking whether the event matches stringA or stringB was quite OK. Now all that's left is to do a timechart to count A's and B's.

So after your search

index=index sourcetype=logs ("StringA" OR "StringB")
| eval type=case(like(_raw, "%StringA%"), "A", like(_raw, "%sStringB%"), "B")

you add

| timechart span=1h count(eval(type="A")) as A count(eval(type="B")) as B | eval percentage=round((A/B)*100,2)

or even easier

| timechart span=1h count by type | eval percentage [...]

How to (chart / graph) the percentage of two string occurrences ?

count

eval

timechart

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?