Re: Is there a way to divide the addcoltotals from... - Splunk Community

Splunk Search

Is there a way to divide the addcoltotals from each case statement in the following :

eval daysclass=case(
NoOfDays<=14,"0-14 DAYS ",
NoOfDays>15 AND NoOfDays<=28,"14-28 DAYS ",
NoOfDays>29 AND NoOfDays<=42,"28-42 DAYS ",
NoOfDays>43 AND NoOfDays<=56,"42-56 DAYS",
NoOfDays>57, "56 DAYS OR MORE "
,1=1,"NULL")|search daysclass!=NULL|stats count(Name) AS "COUNT" by daysclass| ADDCOLTOTALS

if i get what you're doing, i think this might work:

eval daysclass=case(
 NoOfDays<=14,"0-14 DAYS ",
 NoOfDays>15 AND NoOfDays<=28,"14-28 DAYS ",
 NoOfDays>29 AND NoOfDays<=42,"28-42 DAYS ",
 NoOfDays>43 AND NoOfDays<=56,"42-56 DAYS",
 NoOfDays>57, "56 DAYS OR MORE "
 ,1=1,"NULL")|search daysclass!=NULL|stats count(Name) AS "COUNT" by daysclass|eventstats sum(COUNT) as total|eval divide=COUNT/total

Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...