Splunk Search

How to show percentages calculated by totals

ivana27
Path Finder

Hi Splunkers,

please help. I have search where i want to show percentages by host of how many errors (mentioned below) occured on host comparing with other hosts. This is my search, and i get results for all hosts 100%

index=pkg_dummy host IN (*) "[Error] POS Card Validation - Result: Timeout"
| eval host=host | dedup _raw
| rex "\[Error\]\sPOS\sCard\sValidation\s\-\sResult:\s(?<timeout>Timeout)"
| stats count by host AS "TOTAL"
| stats count(eval(timeout)) AS NOK_Transaction by host
| eval FailedTr = round((NOK_Transaction / TOTAL *100),2), FailedTr = FailedTr + "%"
| table host FailedTr
| sort FailedTr desc

Thank you

Labels (2)
0 Karma
1 Solution

ivana27
Path Finder

My bad, i found solution, trick was in 

| eventstats sum(count) as TOTAL

Thank you for quick feedback

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am surprised you get anything

| stats count by host AS "TOTAL"

if the wrong syntax and even if it was

| stats count AS "TOTAL" by host

You are left with two columns (host and count) which means 

| stats count(eval(timeout)) AS NOK_Transaction by host

Will return zeros

Please clarify what you are actually trying

ivana27
Path Finder

My bad, i found solution, trick was in 

| eventstats sum(count) as TOTAL

Thank you for quick feedback

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...