Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to get total events, get specific events, and calculate the percentage?

jnahuelperez35
Path Finder
‎12-25-2016 01:12 PM

Hi guys! i'm going crazy trying to find a way to solve this problem.

I'm trying to find the percentage of Non Cleaned Malware from my AV log. For that i have a field that contains the legends of "Cleaned", "Quarantined", "Unable to Clean", "Unable to Quarantine", "Unable to handle", etc.

For me, all the events that has a result like "Unable to *" are non contained detections, so i made this search to compare the results and have the percentage value:

source=malware.csv | stats count as total | append [search source=malware.csv Result="Unable to *" | stats count as nocont | eval resultado=nocont/total*100] |table nocont

the result must be a Single Value with a number like "20%"

Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎12-25-2016 05:00 PM

How about this?

source=malware.csv | stats count as total | appendcols  [search source=malware.csv Result="Unable to *" | stats count as nocont ]| eval resultado=nocont/total*100 |table nocont

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎12-27-2016 02:35 AM

You can use eventstats to get the total events containing Result field. Then filter only Results containing "Unable to*" pattern:

index=_internal Result=* 
| eventstats count as total 
| search Result="Unable to *"
| stats count as nocont values(Result) as Results last(total) as total
| eval resultado=round((nocont/total)*100,0)
| table Values nocont total resultado
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

jnahuelperez35
Path Finder
‎12-27-2016 08:39 AM

This answer is also correct. Thank's a lot for you help! 😃

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-27-2016 09:45 AM

Please run both search with appendcols and with nested search. Check in Job Inspector for better performance.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎12-25-2016 05:00 PM

How about this?

source=malware.csv | stats count as total | appendcols  [search source=malware.csv Result="Unable to *" | stats count as nocont ]| eval resultado=nocont/total*100 |table nocont
Reply
Solved! Jump to solution

jnahuelperez35
Path Finder
‎12-27-2016 08:40 AM

It worked!!! You are amazing. Thank's a lot for you help! 😃

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...