Splunk Search

How to display the percentage of total value?

rpradeep
Path Finder

I have a set of servers and their patch status against them in a file.

 Hostname   Patch_status
    server1 Patched
    server2 Pending
    server3 Patched
    server4 Pending
    server5 Pending
    server6 Patched
    server7 Pending
    server8 Patched
    server9 Pending
    server10    Pending

I would like to show a percentage value of Patched servers
In the above example, the percentage value should be 40%.
I have played with CHART, STATS, EVENTSTATs, etc but not able to break it. Can someone help me out.

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@rpradeep
Are you looking for this?

YOUR_SEARCH | stats count by Patch_status 
| eventstats sum(count) as total 
| eval perc = count/total*100

Here I have used eventstats for total count.
ref: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/eventstats

Sample Search:

| makeresults 
| eval data="server1@@Patched||server2@@Pending||server3@@Patched||server4@@Pending||server5@@Pending||server6@@Patched||server7@@Pending||server8@@Patched||server9@@Pending||server10@@Pending" 
| eval data=split(data,"||") 
| mvexpand data 
| eval Hostname=mvindex(split(data,"@@"),0),Patch_status=mvindex(split(data,"@@"),1) 
| table Hostname Patch_status 
| stats count by Patch_status 
| eventstats sum(count) as total 
| eval percent = count/total*100 | table Patch_status percent

if you want specific with Patch_status then add below search in above search.

| where Patch_status="Patched"

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@rpradeep
Are you looking for this?

YOUR_SEARCH | stats count by Patch_status 
| eventstats sum(count) as total 
| eval perc = count/total*100

Here I have used eventstats for total count.
ref: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/eventstats

Sample Search:

| makeresults 
| eval data="server1@@Patched||server2@@Pending||server3@@Patched||server4@@Pending||server5@@Pending||server6@@Patched||server7@@Pending||server8@@Patched||server9@@Pending||server10@@Pending" 
| eval data=split(data,"||") 
| mvexpand data 
| eval Hostname=mvindex(split(data,"@@"),0),Patch_status=mvindex(split(data,"@@"),1) 
| table Hostname Patch_status 
| stats count by Patch_status 
| eventstats sum(count) as total 
| eval percent = count/total*100 | table Patch_status percent

if you want specific with Patch_status then add below search in above search.

| where Patch_status="Patched"

Thanks

View solution in original post

rpradeep
Path Finder

Thanks @kamlesh_vaghela , this is what I am looking for but still I need to display the perc value instead of Patched count.
Please help with that too.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@rpradeep

I've updated the answer and added | table Patch_status percent .

Here, percent field is the percentage field. If you want to add % sign then add below eval.

| eval percent=percent."%"

0 Karma

rpradeep
Path Finder

Perfect.
Thanks a lot @kamlesh_vaghela.
I have been using stats/chart, etc in place of table. Table solves my requirement.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Glad to help you @rpradeep

Happy Splunking
:)

0 Karma