Splunk Search

How to display a column of percentages using one entry as the max

Engager

I have a table that shows the count of messages in my log. I want to be able to display the percentage of these using one entry as the number I care about. First, here is the search I am using:

<search> | eval msg=<something> | stats count by msg | sort - count

This gives something like this:

  • msg, count NumInterestingEntries, 10000 LableA, 8888 LableB, 6003 LableC, 4987

I would like to have a new column with the percentage based on 'out of the NumInterstingEntries' value. like this:

  • msg, count NumInterestingEntries, 10000, 100% LableA, 8888, 88.88% LableB, 6003, 60.03% LableC, 4987, 49.87%

How would I achieve this? I tried adding

 | eventstats count as "totalCount" | eventstats count as "choiceCount" by msg | eval percent=(choiceCount/totalCount)*100 | stats values(percent) by msg | sort - values(percent)

but this adds the column up to make totalCount. I cant seem to select the cell I want to use instead of totalCount
Thanks

0 Karma
1 Solution

Champion

what about something like this?

 <search> | eval msg=<something> | stats count by msg | eventstats max(count) as max | eval percent = tostring((count/max)*100)."%" | fields - max

View solution in original post

0 Karma

Champion

what about something like this?

 <search> | eval msg=<something> | stats count by msg | eventstats max(count) as max | eval percent = tostring((count/max)*100)."%" | fields - max

View solution in original post

0 Karma

Engager

Perfect, thanks 🙂 I just added the following on the end to make it sorted

| sort - count
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!