Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Percent of Total

sondradotcom
Path Finder
‎08-27-2010 07:19 PM

I'm trying to figure out how to calculate a percent of total such that:

search string | stats count percent by email

Would spit out:

EMAIL               COUNT PERCENT
email@blah.com          5     10%
otheremail@blah.com    10     20%

Thanks! -S.

Tags (1)
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-27-2010 07:36 PM

Try the top command:

search string | top email

If you're getting the data from a "stats" or "sistats" in a summary index, it's a bit harder, but certainly possible.

For a summary populated by "stats":

index=summary source=<search_name> | stats sum(count) as count by email | eventstats sum(count) as total | eval percent = round(count/total) . " %" | fields - total

For a summary populated by "sistats":

index=summary source=<search_name> | stats count by email | eventstats sum(count) as total | eval percent = round(count/total) . " %" | fields - total
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-28-2010 06:20 PM

Correct, do not use top in this circumstance. Use stats and eventstats as Stephen as shown above.

0 Karma
Reply

sondradotcom
Path Finder
‎08-27-2010 07:44 PM

So, I'm searching against a summary index. In an effort to keep the summary index multi-purpose, I created it as a sistats (run hourly), as in:

sourcetype="blah" earliest="-2h@h" latest="-1h@h" | sistats count by email

So if I used "top" for a query on the summary index, and a certain email showed up 100 times each hour, "top" would only count the number of times the email showed up in the summary index (a maximum of one per hour).

So, is it possible to imitate "top" in this circumstance? Am I just making this too hard on myself?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...