Solved: How to (chart / graph) the percentage of two strin...

sjringo · ‎09-08-2021

This is the query that I am starting with:

index=index sourcetype=logs StringA

| stats count as A

| appendcols [search index=index sourcetype=logs StringB | stats count as B]

| eval percentage = (A / B) * 100

This works with no problems and returns the percentage as expected for the time period selected in the Splunk search.

What I am trying to do is to produce a timechart that will graph the percentage over time.

I now have 2 queries that each produce a timechart for each individual part of the equation:

index=index sourcetype=logs StringA | timechart span=4h count by StringA

index=index sourcetype=logs StringB | timechart span=4h count by StringB

What I am attempting to do is to produce a timechart that is the percentage value?

eval percentage = (StringA/StringB) * 100

but when I try to put the two above searches into a single query Splunk shows the results of the first eval ?

index=index sourcetype=logs ("StringA" OR "StringB")
| eval type=case(like(_raw, "%StringA%"), A, like(_raw, "%sStringB%"), B)
| eval percentage=round((A / B)*100,1)

| fields -A,B

| timechart count by percentage span=4h

sjringo · ‎09-08-2021

Yes it is and after adding quotes I do get a percentage.

I added one last line for the visualizations to show up correctly:

| fields + _time, percentage

Thanks for everyone's help I have been banging my head for several weeks !!!

View solution in original post

sjringo · ‎09-08-2021

Ok, here is what I have now. In the results statistics it appears I am seeing the total of A&B and not a percentage.

index=index sourcetype=logs ("StringA" OR "StringB")

| eval type=case(like(_raw, "%StringA%"), A, like(_raw, "%StringB%"), B)

| timechart span=1h count by type

| eval percentage=round((A/B)*100,2)

Results

4 hours ago

10:00 | 976

11:00 | 1074

12:00 | 1038

13:00 | 1036

14:00 | 2

ITWhisperer · ‎09-08-2021

Is it a typo that you don't have A and B in quotes?

| eval type=case(like(_raw, "%StringA%"), "A", like(_raw, "%StringB%"), "B")

sjringo · ‎09-08-2021

Yes it is and after adding quotes I do get a percentage.

I added one last line for the visualizations to show up correctly:

| fields + _time, percentage

Thanks for everyone's help I have been banging my head for several weeks !!!

PickleRick · ‎09-08-2021

Well, you need stats over time that have two columns - one for count A and second for count B, right?

You can approach it from at least two separate ways.

One possible solution is the one you're getting close to. The idea of checking whether the event matches stringA or stringB was quite OK. Now all that's left is to do a timechart to count A's and B's.

So after your search

index=index sourcetype=logs ("StringA" OR "StringB")
| eval type=case(like(_raw, "%StringA%"), "A", like(_raw, "%sStringB%"), "B")

you add

| timechart span=1h count(eval(type="A")) as A count(eval(type="B")) as B | eval percentage=round((A/B)*100,2)

or even easier

| timechart span=1h count by type | eval percentage [...]

How to (chart / graph) the percentage of two string occurrences ?

count

eval

timechart

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform