Splunk Search

How to edit my search to get total events, get specific events, and calculate the percentage?

jnahuelperez35
Path Finder

Hi guys! i'm going crazy trying to find a way to solve this problem.

I'm trying to find the percentage of Non Cleaned Malware from my AV log. For that i have a field that contains the legends of "Cleaned", "Quarantined", "Unable to Clean", "Unable to Quarantine", "Unable to handle", etc.

For me, all the events that has a result like "Unable to *" are non contained detections, so i made this search to compare the results and have the percentage value:

source=malware.csv | stats count as total | append [search source=malware.csv Result="Unable to *" | stats count as nocont | eval resultado=nocont/total*100] |table nocont

the result must be a Single Value with a number like "20%"

Any suggestions?

0 Karma
1 Solution

HiroshiSatoh
Champion

How about this?

source=malware.csv | stats count as total | appendcols  [search source=malware.csv Result="Unable to *" | stats count as nocont ]| eval resultado=nocont/total*100 |table nocont

View solution in original post

niketnilay
Legend

You can use eventstats to get the total events containing Result field. Then filter only Results containing "Unable to*" pattern:

index=_internal Result=* 
| eventstats count as total 
| search Result="Unable to *"
| stats count as nocont values(Result) as Results last(total) as total
| eval resultado=round((nocont/total)*100,0)
| table Values nocont total resultado
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jnahuelperez35
Path Finder

This answer is also correct. Thank's a lot for you help! 😃

0 Karma

niketnilay
Legend

Please run both search with appendcols and with nested search. Check in Job Inspector for better performance.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

HiroshiSatoh
Champion

How about this?

source=malware.csv | stats count as total | appendcols  [search source=malware.csv Result="Unable to *" | stats count as nocont ]| eval resultado=nocont/total*100 |table nocont

View solution in original post

jnahuelperez35
Path Finder

It worked!!! You are amazing. Thank's a lot for you help! 😃

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.