Splunk Search

How to get percentage of 200 responses?

sphiwee
Contributor

I have current search 

index="intau_workfusion" host=* sourcetype="services_status.out.log" service="HTTP/1.1" status=* | chart count by status

 

when I run it and save as pie chart I am able to get the percentage of the different status code status's, but I want it in table format and I cant divide by total when doing my eval status as all the other status codes still fall under "status" how can I solve this?

Labels (3)
Tags (1)
0 Karma

sphiwee
Contributor

sorry the first answer was correct,  this is a different issue

heres my query index="intau_workfusion" host=* "crash" | chart count by host status

so I want to be able to display a zero if a host returns no results

0 Karma

sphiwee
Contributor

thank you it's working, i forgot to mention that it has to display 0 for hosts that do not have any results, ive tried fillnull and its not working

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK that puts a different spin on it

| chart count by host status
| addtotals
| eval "200" = 100 * '200'/Total
| fields host 200 Total
| append
    [ <search to list all the hosts you are interested in> ]
| fillnull value=0
| stats sum(*) as * by host

ITWhisperer
SplunkTrust
SplunkTrust
| chart count by status
| eventstats sum(count) as total
| eval percent=100*count/total
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...