Splunk Search

Percentage calculation by timechart

Path Finder

We have a request to get values from particular field based on % of bin count.

(1) index=ABC | timechart span=1d count by => By this we get count of the bins for the particular days spanned by day

(2) index=ABC| top limit=0 => By this we get the bin % of the field value but it is not spanned but for the number of days we select in time picker.

So I am looking for a search which will:
i. calculate the bin count of the values in i.e error no 400, 200, 201, 208 separately also these should be spanned based on timechart we specify and i.e if I want bin count per day basis for the month it should show that.

Thanks for the help in query in advance.

Path Finder

Thanks cmerriman , renjith.nair for your replies. One of my collegue also found exactly what client was looking for the querry looks as pasted below. But however the querries you guys mentioned above also I'll try that so we have some more querries ready incase if client comes with some thing new. 🙂

index=<Index_Name> CustomField=<Custom_Field1> CustomField=<Custom_Field2>| bucket _time span=1d | stats count by _time,<Custom_Field2> | eventstats sum(count) as total by _time | eval percent=((count/total)*100)| table _time, <Custom_Field2>, count, total, percent
0 Karma

Super Champion

this should work:

index=ABC|bucket _time span=1d| stats count by errorNo _time|eventstats sum(count) as total by errorNo |eval percentage=(count/total)*100|chart values(percentage) by _time errorNo 

however the answer that @renjith.nair seems logical as well, foreach statements work wonders.

0 Karma

SplunkTrust
SplunkTrust

Does this help ?

index=your index|timechart span=10m count by error_no|addtotals row=true fieldname=_Total|foreach * [eval <<FIELD>> = '<<FIELD>>' * 100 / _Total] 

Communicator

Helped for me - nice solution. Should be accepted answer 😉
Thank you very much.

0 Karma

Path Finder

Hello Renjith, the query when I used is not giving me % value instead it is giving me the same bin count as it provides with time chart.

can you please tell me what do I need to put for and is the same field name which we want count for ?

0 Karma

SplunkTrust
SplunkTrust

you just execute the same query as a whole. Just change the indexname and if needed error_no to our error number. Don't change FIELD

0 Karma