Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to (chart / graph) the percentage of two s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the query that I am starting with:
index=index sourcetype=logs StringA
| stats count as A
| appendcols [search index=index sourcetype=logs StringB | stats count as B]
| eval percentage = (A / B) * 100
This works with no problems and returns the percentage as expected for the time period selected in the Splunk search.
What I am trying to do is to produce a timechart that will graph the percentage over time.
I now have 2 queries that each produce a timechart for each individual part of the equation:
index=index sourcetype=logs StringA | timechart span=4h count by StringA
index=index sourcetype=logs StringB | timechart span=4h count by StringB
What I am attempting to do is to produce a timechart that is the percentage value?
eval percentage = (StringA/StringB) * 100
but when I try to put the two above searches into a single query Splunk shows the results of the first eval ?
index=index sourcetype=logs ("StringA" OR "StringB")
| eval type=case(like(_raw, "%StringA%"), A, like(_raw, "%sStringB%"), B)
| eval percentage=round((A / B)*100,1)
| fields -A,B
| timechart count by percentage span=4h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it is and after adding quotes I do get a percentage.
I added one last line for the visualizations to show up correctly:
| fields + _time, percentage
Thanks for everyone's help I have been banging my head for several weeks !!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, here is what I have now. In the results statistics it appears I am seeing the total of A&B and not a percentage.
index=index sourcetype=logs ("StringA" OR "StringB")
| eval type=case(like(_raw, "%StringA%"), A, like(_raw, "%StringB%"), B)
| timechart span=1h count by type
| eval percentage=round((A/B)*100,2)
Results
4 hours ago
10:00 | 976
11:00 | 1074
12:00 | 1038
13:00 | 1036
14:00 | 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it a typo that you don't have A and B in quotes?
| eval type=case(like(_raw, "%StringA%"), "A", like(_raw, "%StringB%"), "B")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it is and after adding quotes I do get a percentage.
I added one last line for the visualizations to show up correctly:
| fields + _time, percentage
Thanks for everyone's help I have been banging my head for several weeks !!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, you need stats over time that have two columns - one for count A and second for count B, right?
You can approach it from at least two separate ways.
One possible solution is the one you're getting close to. The idea of checking whether the event matches stringA or stringB was quite OK. Now all that's left is to do a timechart to count A's and B's.
So after your search
index=index sourcetype=logs ("StringA" OR "StringB")
| eval type=case(like(_raw, "%StringA%"), "A", like(_raw, "%sStringB%"), "B")you add
| timechart span=1h count(eval(type="A")) as A count(eval(type="B")) as B | eval percentage=round((A/B)*100,2)
or even easier
| timechart span=1h count by type | eval percentage [...]
.conf25 Community Recap
Splunk App Developers | .conf25 Recap & What’s Next
Congratulations to the 2025-2026 SplunkTrust!
