Percentage Calculation

rpascua · ‎04-01-2014

My REGEX:

| rex "\sof (?<Name>[A-Za-z0-9_]+)" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addtotals Withdrawal "\s*withdrawal \((?<Withdrawal>\d+)"

The problem:
I would like to have the percentage of the Withdrawn amount. So for example:

John_Doe2   Deposit 100   Withdrawal 90

I would like to add a column that shows the percentage "%" and add the calculation of that amount into my REGEX. Here's what I have so far:

| rex "\sof (?<Name>[A-Za-z0-9_]+)" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addtotals Withdrawal "\s*withdrawal \((?<Withdrawal>\d+)" | stats sum(Deposit) sum(Withdrawal) by Name | eval percent=(Withdrawal/Deposit) | table percent

I tried different combinations of eval and stats but keep coming up empty. Any assistance would be much appreciated.

martin_mueller · ‎04-01-2014

Your stats produces fields called sum(fieldname), rename them before doing further calculations like this:

... | stats sum(Deposit) as sum_deposit sum(Withdrawal) as sum_withdrawal | eval percent = sum_withdrawal/sum_deposit*100."%"

Note, your call to addtotals contains odd regular expressions that make little sense there.

Percentage Calculation

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Percentage Calculation

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...