Solved: How to show the percentage of unique values

ewanbrown · ‎08-08-2017

Hi,

I have a simple search that uses top to get the top 10 countries:

   search ........ | top Country

It will give the top 10 Countries and percentage.

How can I get the same, but look at the top 10 Countries by unique users?

This :

 search ..... | stats dc(ID) as users by  Country | sort users desc limit=10

Will give me the top 10, but not show the % for each.

Is there a way to do this?

Thanks

cmerriman · ‎08-08-2017

try this:

 search ..... | eventstats dc(ID) as totalUsers|stats max(totalUsers) as totalUsers dc(ID) as users by  Country | sort users desc limit=10|eval percentage=users/totalUsers*100|fields - totalUsers

View solution in original post

cmerriman · ‎08-08-2017

try this:

 search ..... | eventstats dc(ID) as totalUsers|stats max(totalUsers) as totalUsers dc(ID) as users by  Country | sort users desc limit=10|eval percentage=users/totalUsers*100|fields - totalUsers

ewanbrown · ‎08-08-2017

Perfect!

Thanks, I knew it was something to do with eventstats, but couldn't get it to work!

How to show the percentage of unique values

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How to show the percentage of unique values

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?