Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a search that will compare Log_Level events to the total number of events?

mercur
New Member
‎12-16-2016 08:17 AM

Hi

I want to do a search of something i would think would be very simple but i cant get it to work.

I want to compare the Log_Level Events that i have to the total events for that day?

So for example WARN/TotalEvents in 24 Hours.

Hope someone can help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-16-2016 08:52 AM

Try something like this.

your base search Log_Level=* | stats count as TotalEvents count(eval(Log_Level="WARN")) as WARN

OR

your base search Log_Level=* | eval WARN=if(Log_Level="WARN",1,0) |  stats count as TotalEvents sum(WARN) as WARN

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-16-2016 08:52 AM

Try something like this.

your base search Log_Level=* | stats count as TotalEvents count(eval(Log_Level="WARN")) as WARN

OR

your base search Log_Level=* | eval WARN=if(Log_Level="WARN",1,0) |  stats count as TotalEvents sum(WARN) as WARN
0 Karma
Reply
Solved! Jump to solution

mercur
New Member
‎12-16-2016 12:31 PM

That worked flawlessly i think i made it to complicated.

To get the Percentage i added eval percentage=(WARN/TotalEvents) | table percentage is this the right way to do it ?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-16-2016 12:36 PM

Yes.. I would use something like this for more human readable format of percentage

...| eval percentage=round(WARN*100/TotalEvents,2))
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...