How to sum all values in a column using the "eval"...

mstrozyk25 · ‎02-05-2018

I have a query in which each row represents statistics for an individual person. I want to sum up the entire amount for a certain column and then use that to show percentages for each person.

Example:

Person | Number Completed
x | 20
y | 30
z | 50

From here I would love the sum of "Number Completed" (100) and then use that to add the field like so:

Person | Number Completed | Percentage Completed
x | 20 | 20%
y | 30 | 30%
z | 50 | 50%

I am having trouble thinking of ways to do this without the eval command as I have already gathered statistics "by Person" which is limiting me from gathering the statistics of the whole.

If you could help me out that would be greatly appreciated. Thanks!

493669 · ‎02-05-2018

Try this run anywhere search:

|makeresults|eval person="x", no="20"|append[|makeresults|eval person="y", no="30"]|append[|makeresults|eval person="z", no="50"]|table person no|stats values(no) as no by person|eventstats sum(no) as total|eval percentage=((no/total)*100)."%"

FrankVl · ‎02-05-2018

...your search here...
| eventstats sum(NumberCompleted) as total
| eval PercentageCompleted=(NumberCompleted/total)*100

Eventstats will append a field "total" to each row, with the total of the Number column. That can then be used in an eval to calculate the completion per row.

How to sum all values in a column using the "eval" command?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

How to sum all values in a column using the "eval" command?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!