Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sum(field) depending on another field

marina_rovira
Contributor
‎02-22-2016 02:24 AM

Hello all,

I have a field called Type with three values and I want a chart of the percentage of these three values. I am looking for a chart like this, which is easy to achieve:

alt text

But with the % value over the total count of another field for each type. I have a field called Count, that I want to sum for each type, so by now, my search is this:

| timechart sum(Count) by Type

The thing is that I cannot find a way to sum this field depending of the Type field. If I had the sum, I could calculate the percentage myself.

Someone knows if I can do it?

Thanks in advance!

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-22-2016 08:34 AM

Try something like this

your base search | bucket span=1mon _time | stats sum(count) as count by _time Type | eventstats sum(count) as Total by _time | eval Percent=round(count*100/Total) | timechart span=1mon max(Percent) by Type

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-22-2016 08:34 AM

Try something like this

your base search | bucket span=1mon _time | stats sum(count) as count by _time Type | eventstats sum(count) as Total by _time | eval Percent=round(count*100/Total) | timechart span=1mon max(Percent) by Type
Reply
Solved! Jump to solution

fdi01
Motivator
‎02-22-2016 03:22 AM

to chart of the percentage of these three values , try like :

...| top  Type

or
try thi :

...| stats count by Type | eventstats sum(count) as total | eval percent = round(count/total) . " %" | fields - total
Reply
Solved! Jump to solution

marina_rovira
Contributor
‎02-22-2016 04:32 AM

It works! for one month, do you if there is a possibility to do it over month? as a timechart or something?

Thank you!

0 Karma
Reply
Solved! Jump to solution

fdi01
Motivator
‎02-22-2016 05:00 AM

try like:

...|bucket _time span=1months| top  Type by _time
Reply
Solved! Jump to solution

marina_rovira
Contributor
‎02-22-2016 09:28 AM

Thank you so much! 🙂

0 Karma
Reply
Solved! Jump to solution

marina_rovira
Contributor
‎02-22-2016 05:36 AM

okay, I'm approaching to it.

I need a mix of these two queries, noy I have:

  • on one hand:
    | stats sum(Count) as suma by Type | eventstats sum(suma) as total | eval percent = round((suma/total)*100,0)."%"

  • on the other hand:
    |bucket _time span=1months| top Type by _time

Now, I need to sum the field Count for Type and moth. With this last thing you wrote me, I almost achieve it, but it counts the events and I need to sum a field for the events.

Thanks, you're helping me a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...