Solved: Re: How to edit my search to show percentage inste...

sidekix24 · ‎10-21-2015

Looking to switch the output from count to percentages on the search below. For example, they a looking to chart what percent of "cart API calls" are timeouts.

Anyone have any suggestions on how to make that happen?

Thanks in advance

| eval group=case(costTime < 1,1,costTime < 2,2,costTime < 5,5,costTime < 10,10,costTime < 15,15,costTime < 20, 20,costTime < 25, 25,costTime < 28, 28,costTime >=28, "Timeout") | eval RequestFormat=case(Request like "%catalog%", "Catalog Service Calls",Request like "%inventory%","Inventory Service Calls", Request like "%price%", "Price Service Calls", Request="order/calculation","Order API - Order Calc", Request="order", "Order API - Submit Order",Request="order/estimatePayment", "Order API - Estimate Payment", Request like "profile%", "Profile API Calls", Request like "cart%", "Cart API Calls", Request like "%", Request) | chart count by RequestFormat group

gcato · ‎10-21-2015

Hi sidekix24,

You could use the addtotals command to give you row totals and then a foreach command to to iterate over each field to calculate a percentage value. Here's an untested example of what I mean.

...|chart count by RequestFormat group |addtotals |foreach 1 2 5 10 15 20 25 28 timeout [ eval <<FIELD>=round(('<<FIELD>>'/Total)*100, 1) . "%" ]

Hope this helps.

UPDATE: fixed untested example.

View solution in original post

gcato · ‎10-21-2015

Hi sidekix24,

You could use the addtotals command to give you row totals and then a foreach command to to iterate over each field to calculate a percentage value. Here's an untested example of what I mean.

...|chart count by RequestFormat group |addtotals |foreach 1 2 5 10 15 20 25 28 timeout [ eval <<FIELD>=round(('<<FIELD>>'/Total)*100, 1) . "%" ]

Hope this helps.

UPDATE: fixed untested example.

sidekix24 · ‎10-22-2015

Thanks gcato,

That gets us halfway there. We now have the totals column at the end but still not showing percentages. Any ideas on what adjustments to make to the search? Sorry...this is a little over my head in regards to splunk 🙂

Thanks again for the assistance.

gcato · ‎10-22-2015

There was some small mistakes in the 'foreach' command - the 'total' should be Total' and the <> value needs single quotes. Here's a run anywhere example:

|stats count as 1 | eval 1=25 |eval 5=50 |addtotals |foreach 1 5 [ eval <<FIELD>>_PERC=round(('<<FIELD>>'/Total)*100, 1) . "%" ]

sidekix24 · ‎10-22-2015

That looks to have done it!!! Thanks for the help!!

ppablo · ‎10-22-2015

Glad you found a solution 🙂 Don't forget to accept Answers that solved your questions by clicking "Accept" directly below the answer to resolve the post. Also, if someone was helpful, please make sure to upvote their answer by clicking the up arrow to the left of the answer. To upvote a comment, hover your cursor over the comment and click the up arrow. I already accepted the answer for you, but @gcato deserves some karma points for solving your question ;D

How to edit my search to show percentage instead of count on chart count?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!