How to get percentage of 200 responses?

sphiwee · ‎03-13-2023

I have current search

index="intau_workfusion" host=* sourcetype="services_status.out.log" service="HTTP/1.1" status=* | chart count by status

when I run it and save as pie chart I am able to get the percentage of the different status code status's, but I want it in table format and I cant divide by total when doing my eval status as all the other status codes still fall under "status" how can I solve this?

sphiwee · ‎03-15-2023

sorry the first answer was correct, this is a different issue

heres my query index="intau_workfusion" host=* "crash" | chart count by host status

so I want to be able to display a zero if a host returns no results

sphiwee · ‎03-15-2023

thank you it's working, i forgot to mention that it has to display 0 for hosts that do not have any results, ive tried fillnull and its not working

ITWhisperer · ‎03-15-2023

OK that puts a different spin on it

| chart count by host status
| addtotals
| eval "200" = 100 * '200'/Total
| fields host 200 Total
| append
    [ <search to list all the hosts you are interested in> ]
| fillnull value=0
| stats sum(*) as * by host

ITWhisperer · ‎03-13-2023

| chart count by status
| eventstats sum(count) as total
| eval percent=100*count/total

How to get percentage of 200 responses?

chart

eval

stats

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services