Re: How to sum all values in a column using the "e...

mstrozyk25 · ‎02-05-2018

I have a query in which each row represents statistics for an individual person. I want to sum up the entire amount for a certain column and then use that to show percentages for each person.

Example:

Person | Number Completed
x | 20
y | 30
z | 50

From here I would love the sum of "Number Completed" (100) and then use that to add the field like so:

Person | Number Completed | Percentage Completed
x | 20 | 20%
y | 30 | 30%
z | 50 | 50%

I am having trouble thinking of ways to do this without the eval command as I have already gathered statistics "by Person" which is limiting me from gathering the statistics of the whole.

If you could help me out that would be greatly appreciated. Thanks!

493669 · ‎02-05-2018

Try this run anywhere search:

|makeresults|eval person="x", no="20"|append[|makeresults|eval person="y", no="30"]|append[|makeresults|eval person="z", no="50"]|table person no|stats values(no) as no by person|eventstats sum(no) as total|eval percentage=((no/total)*100)."%"

FrankVl · ‎02-05-2018

...your search here...
| eventstats sum(NumberCompleted) as total
| eval PercentageCompleted=(NumberCompleted/total)*100

Eventstats will append a field "total" to each row, with the total of the Number column. That can then be used in an eval to calculate the completion per row.

How to sum all values in a column using the "eval" command?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!