Solved: Percent matching events

c799651 · ‎06-12-2020

I have a search that find a match of events

this counts all events that match the string

index=data-kia-cer-app-n sourcetype=cer | regex "BLOCK,\d*,\d*,1"| stats count as "default"

I would like a search that results in a percent figure of this match as proportion of all events.

Thanks

rnowitzki · ‎06-12-2020

Hi,

This adds a column "total" and "percentage" to the table:

index=data-kia-cer-app-n sourcetype=cer 
| eventstats count as total 
| regex "BLOCK,\d*,\d*,1"
| stats count as "default" by total 
| eval percentage=(default*100)/total

You might want to remove some decimals and add a "%" to the percentage field..

--
Karma and/or Solution tagging appreciated.

View solution in original post

rnowitzki · ‎06-12-2020

Hi,

This adds a column "total" and "percentage" to the table:

index=data-kia-cer-app-n sourcetype=cer 
| eventstats count as total 
| regex "BLOCK,\d*,\d*,1"
| stats count as "default" by total 
| eval percentage=(default*100)/total

You might want to remove some decimals and add a "%" to the percentage field..

--
Karma and/or Solution tagging appreciated.

c799651 · ‎06-15-2020

Thanks. This worked!!

Percent matching events

regex

stats

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases