Splunk Search

How to find top events contributing to a total of X% of the events?

dkikan
Engager

Hi, I can find the top events but I want to see all those events that are contributing say 80% of the total. e.g. there are 25k events and the top 10 events contribute to 96% of the total. I want to see the only events that contribute to 80% of the total rather than 96% as retrieved in the results. I have read related questions/answers but couldn't get a clue how to do it. Anyone please?

Tags (1)
0 Karma

somesoni2
Revered Legend

Give this a try. Assuming there is a unique identifier field call identifier based on which the top is calculated.

index=foo sourcetype=bar [ search index=foo sourcetype=bar | stats count by identifier | sort 0 -count | eventstats sum(count) as total | eval perc=round(count*100/total) | accum perc | where perc<=80] 
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...