Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find top events contributing to a total of X% of the events?

dkikan
Engager
‎02-07-2017 12:51 AM

Hi, I can find the top events but I want to see all those events that are contributing say 80% of the total. e.g. there are 25k events and the top 10 events contribute to 96% of the total. I want to see the only events that contribute to 80% of the total rather than 96% as retrieved in the results. I have read related questions/answers but couldn't get a clue how to do it. Anyone please?

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎02-07-2017 07:45 AM

Give this a try. Assuming there is a unique identifier field call identifier based on which the top is calculated.

index=foo sourcetype=bar [ search index=foo sourcetype=bar | stats count by identifier | sort 0 -count | eventstats sum(count) as total | eval perc=round(count*100/total) | accum perc | where perc<=80]
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...