Splunk Search

How to edit my search to get total events, get specific events, and calculate the percentage?

jnahuelperez35
Path Finder

Hi guys! i'm going crazy trying to find a way to solve this problem.

I'm trying to find the percentage of Non Cleaned Malware from my AV log. For that i have a field that contains the legends of "Cleaned", "Quarantined", "Unable to Clean", "Unable to Quarantine", "Unable to handle", etc.

For me, all the events that has a result like "Unable to *" are non contained detections, so i made this search to compare the results and have the percentage value:

source=malware.csv | stats count as total | append [search source=malware.csv Result="Unable to *" | stats count as nocont | eval resultado=nocont/total*100] |table nocont

the result must be a Single Value with a number like "20%"

Any suggestions?

0 Karma
1 Solution

HiroshiSatoh
Champion

How about this?

source=malware.csv | stats count as total | appendcols  [search source=malware.csv Result="Unable to *" | stats count as nocont ]| eval resultado=nocont/total*100 |table nocont

View solution in original post

niketn
Legend

You can use eventstats to get the total events containing Result field. Then filter only Results containing "Unable to*" pattern:

index=_internal Result=* 
| eventstats count as total 
| search Result="Unable to *"
| stats count as nocont values(Result) as Results last(total) as total
| eval resultado=round((nocont/total)*100,0)
| table Values nocont total resultado
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jnahuelperez35
Path Finder

This answer is also correct. Thank's a lot for you help! 😃

0 Karma

niketn
Legend

Please run both search with appendcols and with nested search. Check in Job Inspector for better performance.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

HiroshiSatoh
Champion

How about this?

source=malware.csv | stats count as total | appendcols  [search source=malware.csv Result="Unable to *" | stats count as nocont ]| eval resultado=nocont/total*100 |table nocont

jnahuelperez35
Path Finder

It worked!!! You are amazing. Thank's a lot for you help! 😃

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...