Looking to switch the output from count to percentages on the search below. For example, they a looking to chart what percent of "cart API calls" are timeouts.
Anyone have any suggestions on how to make that happen?
Thanks in advance
| eval group=case(costTime < 1,1,costTime < 2,2,costTime < 5,5,costTime < 10,10,costTime < 15,15,costTime < 20, 20,costTime < 25, 25,costTime < 28, 28,costTime >=28, "Timeout") | eval RequestFormat=case(Request like "%catalog%", "Catalog Service Calls",Request like "%inventory%","Inventory Service Calls", Request like "%price%", "Price Service Calls", Request="order/calculation","Order API - Order Calc", Request="order", "Order API - Submit Order",Request="order/estimatePayment", "Order API - Estimate Payment", Request like "profile%", "Profile API Calls", Request like "cart%", "Cart API Calls", Request like "%", Request) | chart count by RequestFormat group
You could use the addtotals command to give you row totals and then a foreach command to to iterate over each field to calculate a percentage value. Here's an untested example of what I mean.
...|chart count by RequestFormat group |addtotals |foreach 1 2 5 10 15 20 25 28 timeout [ eval <<FIELD>=round(('<<FIELD>>'/Total)*100, 1) . "%" ]
Hope this helps.
UPDATE: fixed untested example.
That gets us halfway there. We now have the totals column at the end but still not showing percentages. Any ideas on what adjustments to make to the search? Sorry...this is a little over my head in regards to splunk 🙂
Thanks again for the assistance.
There was some small mistakes in the 'foreach' command - the 'total' should be Total' and the <> value needs single quotes. Here's a run anywhere example:
|stats count as 1 | eval 1=25 |eval 5=50 |addtotals |foreach 1 5 [ eval <<FIELD>>_PERC=round(('<<FIELD>>'/Total)*100, 1) . "%" ]
Glad you found a solution 🙂 Don't forget to accept Answers that solved your questions by clicking "Accept" directly below the answer to resolve the post. Also, if someone was helpful, please make sure to upvote their answer by clicking the up arrow to the left of the answer. To upvote a comment, hover your cursor over the comment and click the up arrow. I already accepted the answer for you, but @gcato deserves some karma points for solving your question ;D