Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to sum all values in a column using the "eval" command?

mstrozyk25
Engager
‎02-05-2018 07:26 AM

I have a query in which each row represents statistics for an individual person. I want to sum up the entire amount for a certain column and then use that to show percentages for each person.

Example:

Person | Number Completed
x | 20
y | 30
z | 50

From here I would love the sum of "Number Completed" (100) and then use that to add the field like so:

Person | Number Completed | Percentage Completed
x | 20 | 20%
y | 30 | 30%
z | 50 | 50%

I am having trouble thinking of ways to do this without the eval command as I have already gathered statistics "by Person" which is limiting me from gathering the statistics of the whole.

If you could help me out that would be greatly appreciated. Thanks!

Reply

493669
Super Champion
‎02-05-2018 07:59 AM

Try this run anywhere search:

|makeresults|eval person="x", no="20"|append[|makeresults|eval person="y", no="30"]|append[|makeresults|eval person="z", no="50"]|table person no|stats values(no) as no by person|eventstats sum(no) as total|eval percentage=((no/total)*100)."%"
Reply

FrankVl
Ultra Champion
‎02-05-2018 07:57 AM 
...your search here...
| eventstats sum(NumberCompleted) as total
| eval PercentageCompleted=(NumberCompleted/total)*100

Eventstats will append a field "total" to each row, with the total of the Number column. That can then be used in an eval to calculate the completion per row.

Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...