Splunk Search
Highlighted

## How to rewrite this query to get percentage at each range?

Communicator
``````index=sample | eval Latency=case(walltime<500, "0-0.5s",          walltime>=500 AND walltime<1000, "0.5s-1s",           walltime>=1000 AND walltime<3000, "1s-3s",           walltime>=3000 AND walltime<6000, "3s-6s",           walltime>=4000 AND walltime<10000, "6s-10s",           walltime>=10000 AND walltime<30000, "10s-30s",           walltime>=30000, ">=30s")  |eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency
``````

The above query gives me in below format

``````Date | 0-0.5s | 0.5s-1s | 1s-3s | 3s-6s | 6s-10s | 10s-30s
08/08/2018 | 12350 | 20095 | 5530 | 563 | 170 |120
09/08/2018 | 15350 | 10455 | 3430 | 1263 | 1010 |10
``````

I would like to represent this count in terms of Percentage. How do I do the calculation? Please let me know.

Tags (4)
1 Solution
Highlighted

## Re: How to rewrite this query to get percentage at each range?

Builder

Hello @sangs8788 ,

please have a look at addtotals (http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Addtotals) , and in particular at the last sections of the page.
Once you have the total, you should be able to compute the percentage.

Highlighted

## Re: How to rewrite this query to get percentage at each range?

SplunkTrust

@sangs8788,

If you are looking for a daily percentage, then try

``````index=sample | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s", walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s", walltime>=4000 AND walltime<10000, "6s-10s", walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s")
|eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency
|foreach * [eval <<FIELD>>=round((<<FIELD>>/total)*100,2)]|fields - total
``````

OR

``````    index=sample | eval Latency=case(walltime<500, "0-0.5s", walltime>=500 AND walltime<1000, "0.5s-1s", walltime>=1000 AND walltime<3000, "1s-3s", walltime>=3000 AND walltime<6000, "3s-6s", walltime>=4000 AND walltime<10000, "6s-10s", walltime>=10000 AND walltime<30000, "10s-30s", walltime>=30000, ">=30s")
|eval Date =strftime(_time,"%d/%m/%Y") | chart count as RequestCount over Date by Latency
| untable Date,Latency,RequestCount
| eventstats sum(RequestCount) as total by Date|eval Percentage=round((RequestCount/total)*100,2)
| xyseries Date,Latency,Percentage
``````
Highlighted

## Re: How to rewrite this query to get percentage at each range?

Communicator

can i have the total count also displayed for each date?

Highlighted

## Re: How to rewrite this query to get percentage at each range?

SplunkTrust

Yes, if you are using the first search, then remove `fields - total` from the search
For the second one , if you dont want a chart visualization , remove `| xyseries Date,Latency,Percentage`