Solved: How to show percentages calculated by totals

ivana27 · ‎02-16-2021

Hi Splunkers,

please help. I have search where i want to show percentages by host of how many errors (mentioned below) occured on host comparing with other hosts. This is my search, and i get results for all hosts 100%

index=pkg_dummy host IN (*) "[Error] POS Card Validation - Result: Timeout"
| eval host=host | dedup _raw
| rex "\[Error\]\sPOS\sCard\sValidation\s\-\sResult:\s(?<timeout>Timeout)"
| stats count by host AS "TOTAL"
| stats count(eval(timeout)) AS NOK_Transaction by host
| eval FailedTr = round((NOK_Transaction / TOTAL *100),2), FailedTr = FailedTr + "%"
| table host FailedTr
| sort FailedTr desc

Thank you

ivana27 · ‎02-16-2021

My bad, i found solution, trick was in

| eventstats sum(count) as TOTAL

Thank you for quick feedback

View solution in original post

ITWhisperer · ‎02-16-2021

I am surprised you get anything

| stats count by host AS "TOTAL"

if the wrong syntax and even if it was

| stats count AS "TOTAL" by host

You are left with two columns (host and count) which means

| stats count(eval(timeout)) AS NOK_Transaction by host

Will return zeros

Please clarify what you are actually trying

ivana27 · ‎02-16-2021

My bad, i found solution, trick was in

| eventstats sum(count) as TOTAL

Thank you for quick feedback

How to show percentages calculated by totals

count

rex

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?