Solved: Re: How to show percentages calculated by totals

ivana27 · ‎02-16-2021

Hi Splunkers,

please help. I have search where i want to show percentages by host of how many errors (mentioned below) occured on host comparing with other hosts. This is my search, and i get results for all hosts 100%

index=pkg_dummy host IN (*) "[Error] POS Card Validation - Result: Timeout"
| eval host=host | dedup _raw
| rex "\[Error\]\sPOS\sCard\sValidation\s\-\sResult:\s(?<timeout>Timeout)"
| stats count by host AS "TOTAL"
| stats count(eval(timeout)) AS NOK_Transaction by host
| eval FailedTr = round((NOK_Transaction / TOTAL *100),2), FailedTr = FailedTr + "%"
| table host FailedTr
| sort FailedTr desc

Thank you

ivana27 · ‎02-16-2021

My bad, i found solution, trick was in

| eventstats sum(count) as TOTAL

Thank you for quick feedback

View solution in original post

ITWhisperer · ‎02-16-2021

I am surprised you get anything

| stats count by host AS "TOTAL"

if the wrong syntax and even if it was

| stats count AS "TOTAL" by host

You are left with two columns (host and count) which means

| stats count(eval(timeout)) AS NOK_Transaction by host

Will return zeros

Please clarify what you are actually trying

ivana27 · ‎02-16-2021

My bad, i found solution, trick was in

| eventstats sum(count) as TOTAL

Thank you for quick feedback

How to show percentages calculated by totals

count

rex

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk