Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

otman01
Communicator
‎04-03-2015 12:56 AM

Hi,

I want to create a dashboard using these 2 searches:
1) the first one index='text' | count, will give a result. For example result=250
2) the second one will be based on the result of the first one
index='text' type='cpu'| eventstats sum(nombre) as total | eval pourcentage=round((nombre/result)*100,2) | table EventType, nombre, pourcentage

Do you have an idea how to do this?
Thank you all, have a nice day

Tags (3)
Reply

chimell
Motivator
‎04-07-2015 03:47 AM

Hi otman01
Just follow this link ,it will help you
http://answers.splunk.com/answers/169069/extract-one-row-of-data-from-a-table.html

0 Karma
Reply

otman01
Communicator
‎04-07-2015 02:50 AM

Thank you I could find another solution, for my case I use WHERE expression to extrat just one line

0 Karma
Reply

chimell
Motivator
‎04-04-2015 04:43 AM

Hi otman01
Try this xml code 

    <dashboard>
      <label>fcff</label>
      <row>
        <panel>
          <chart>
            <search>
              <query>source="WinEventLog:*" | chart count AS result</query>
              <earliest>0</earliest>
              <latest>now</latest>
            </search>
          </chart>
        </panel>
      </row>
    <row>
        <panel>
          <chart>
            <search>
              <query> source="WinEventLog:*" EventType=0 | chart count by EventType </query>
              <earliest>0</earliest>
              <latest>now</latest>
            </search>
          </chart>
        </panel>
      </row>
    <row>
        <panel>
          <chart>
            <search>
              <query> source="WinEventLog:*" | chart count as nombre by EventType | eventstats sum(nombre) as total | eval percentage=round((nombre/total)*100,2) | table EventType, nombre, percentage </query>
              <earliest>0</earliest>
              <latest>now</latest>
            </search>
          </chart>
        </panel>
      </row>
    </dashboard>
0 Karma
Reply

chimell
Motivator
‎04-07-2015 02:59 AM

Are you satisfied by my previous answer ? If yes let vote it

Reply

otman01
Communicator
‎04-07-2015 01:08 AM

Thank you for your answer.
so this is an extrat of the result that the search return:
EventType--------nombre ------------------- percentage
0------------------- 8246 ----------------------- 14.43
1 ------------------- 18 --------------------------- 0.03
2 ------------------- 7512 ----------------------- 13.15
3 ------------------- 3982 ------------------------ 6.97
4 ------------------- 37286 ---------------------- 65.25
5 ------------------- 101 -------------------------- 0.18

What I want to do is extract for example the 2nd row and the 4th row .
Is this is POSSIBLE ?

0 Karma
Reply

ppablo
Retired
‎04-09-2015 03:09 PM

Hi @otman01

Please be sure than when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You keep typing your responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation. It gets difficult when people don't know who you're responding to. I already converted your answer to a comment, so just something to keep in mind from here on out. Thanks

0 Karma
Reply

otman01
Communicator
‎04-03-2015 06:31 AM

Yes EventType is a field for me there are a values that it accept (0.1.2.3.4.5.6)
thank you

0 Karma
Reply

stephane_cyrill
Builder
‎04-03-2015 01:52 AM

Hi, Otman01
try this:
index='text'|count AS result [search index='text' type='cpu'| eventstats sum(nombre) as total ]| eval pourcentage=round((nombre/result)*100,2) | table EventType, nombre, pourcentage

Thanks to vote and Accept if your are satisfied....

0 Karma
Reply

otman01
Communicator
‎04-03-2015 05:49 AM

I have some problems in the 2 searchs. can you help me ? thank you
"Error in 'chart' command: The argument '( ( EventType=0 AND count=7957 ) )' is invalid."

this is exactely the first search:
source="WinEventLog:*" | chart count AS result

this is the second:
search source="WinEventLog:*" EventType=0 | chart count by EventType

in the general search I do like bellow (it works to give me the percentage)

source="WinEventLog:*" | chart count as nombre by EventType | eventstats sum(nombre) as total | eval percentage=round((nombre/total)*100,2) | table EventType, nombre, percentage

but I want to keep each row in a separate panel .

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...