Re: Percentage Calculation

rpascua · ‎04-01-2014

My REGEX:

| rex "\sof (?<Name>[A-Za-z0-9_]+)" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addtotals Withdrawal "\s*withdrawal \((?<Withdrawal>\d+)"

The problem:
I would like to have the percentage of the Withdrawn amount. So for example:

John_Doe2   Deposit 100   Withdrawal 90

I would like to add a column that shows the percentage "%" and add the calculation of that amount into my REGEX. Here's what I have so far:

| rex "\sof (?<Name>[A-Za-z0-9_]+)" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addtotals Withdrawal "\s*withdrawal \((?<Withdrawal>\d+)" | stats sum(Deposit) sum(Withdrawal) by Name | eval percent=(Withdrawal/Deposit) | table percent

I tried different combinations of eval and stats but keep coming up empty. Any assistance would be much appreciated.

martin_mueller · ‎04-01-2014

Your stats produces fields called sum(fieldname), rename them before doing further calculations like this:

... | stats sum(Deposit) as sum_deposit sum(Withdrawal) as sum_withdrawal | eval percent = sum_withdrawal/sum_deposit*100."%"

Note, your call to addtotals contains odd regular expressions that make little sense there.

Percentage Calculation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation