Splunk Search
Highlighted

How to rewrite this query to get percentage at each range?

Communicator
index=sample | eval Latency=case(walltime<500, "0-0.5s",          walltime>=500 AND walltime<1000, "0.5s-1s",           walltime>=1000 AND walltime<3000, "1s-3s",           walltime>=3000 AND walltime<6000, "3s-6s",           walltime>=4000 AND walltime<10000, "6s-10s",           walltime>=10000 AND walltime<30000, "10s-30s",           walltime>=30000, ">=30s")  |eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency

The above query gives me in below format

Date | 0-0.5s | 0.5s-1s | 1s-3s | 3s-6s | 6s-10s | 10s-30s
08/08/2018 | 12350 | 20095 | 5530 | 563 | 170 |120
09/08/2018 | 15350 | 10455 | 3430 | 1263 | 1010 |10

I would like to represent this count in terms of Percentage. How do I do the calculation? Please let me know.

0 Karma
Highlighted

Re: How to rewrite this query to get percentage at each range?

Builder

Hello @sangs8788 ,

please have a look at addtotals (http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Addtotals) , and in particular at the last sections of the page.
Once you have the total, you should be able to compute the percentage.

0 Karma
Highlighted

Re: How to rewrite this query to get percentage at each range?

SplunkTrust
SplunkTrust

@sangs8788,

If you are looking for a daily percentage, then try

index=sample | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s", walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s", walltime>=4000 AND walltime<10000, "6s-10s", walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s") 
|eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency
|addtotals fieldname=total
|foreach * [eval <<FIELD>>=round((<<FIELD>>/total)*100,2)]|fields - total

OR

    index=sample | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s", walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s", walltime>=4000 AND walltime<10000, "6s-10s", walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s") 
    |eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency
    | untable Date,Latency,RequestCount
    | eventstats sum(RequestCount) as total by Date|eval Percentage=round((RequestCount/total)*100,2)
    | xyseries Date,Latency,Percentage

View solution in original post

Highlighted

Re: How to rewrite this query to get percentage at each range?

Communicator

can i have the total count also displayed for each date?

0 Karma
Highlighted

Re: How to rewrite this query to get percentage at each range?

SplunkTrust
SplunkTrust

Yes, if you are using the first search, then remove fields - total from the search
For the second one , if you dont want a chart visualization , remove | xyseries Date,Latency,Percentage

0 Karma