Splunk Search
Highlighted

Percentage for the daily stats

Explorer

Dear Excepts ,
Need your help to calculate percentage for daily stats.

I am using below query to calculate daily stats and their totals. Need your help come with percentage calculation for each uri_path as shown in "Excepted Results". your help would be much appreciated.

current Query :
index=test sourcetype=123:abc:abc tag::source=AP
uripath="/url/url1" OR uripath="/url/url2"
OR uripath="/url/url3" OR uripath="/url/url4"
| timechart span=1d count by "uri_path" limit=0 | addtotals

Current Results :
_time /url/url1 /url/url2 /url/url3 /url/url4 Total
2019-08-29T00:00:00.000+0000 100 100 100 100 400
2019-08-30T00:00:00.000+0000 100 100 100 100 400
2019-08-31T00:00:00.000+0000 100 100 100 100 400
2019-09-01T00:00:00.000+0000 100 100 100 100 400
2019-09-02T00:00:00.000+0000 100 100 100 100 400

Excepted Results :
_time /url/url1 /url/url2 /url/url3 /url/url4 Total
2019-08-29T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-08-29 25% 25% 25% 25% 25%
2019-08-30T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-08-30 25% 25% 25% 25% 25%
2019-08-31T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-08-31 25% 25% 25% 25% 25%
2019-09-01T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-09-01 25% 25% 25% 25% 25%
2019-09-02T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-09-02 25% 25% 25% 25% 25%

Tags (2)
0 Karma
Highlighted

Re: Percentage for the daily stats

SplunkTrust
SplunkTrust

If your URLs are in a predictable format, then you could do something like this:

your search
| foreach '/url*' [ |eval pct_<<FIELD>> = round(100*<<FIELD>>/Total,0)]
0 Karma
Highlighted

Re: Percentage for the daily stats

Explorer

@DalJeanis , URLs are not in predictable format. Is it possible to use uri_path in the query to come-up with expected results ?

I tried below query , it didnt work.

index=test sourcetype=123:abc:abc tag::source=AP
uripath="/url/url1" OR uripath="/url/url2"
OR uripath="/url/url3" OR uripath="/url/url4"
| timechart span=1d count by "uripath" limit=0 | addtotals
| foreach 'uri
path' [ |eval pcturipath = round(100*pcturipath/Total,0)]

For testing purpose , I also tried below query. it didnt work. I am getting same output which was printed in my previous post as "Current Results"

index=test sourcetype=123:abc:abc tag::source=AP
uripath="/url/url1" OR uripath="/url/url2"
OR uripath="/url/url3" OR uripath="/url/url4"
| timechart span=1d count by "uripath" limit=0 | addtotals
| foreach '/url*' [ |eval pct
url = round(100*pct_url/Total,0)]

0 Karma
Highlighted

Re: Percentage for the daily stats

Explorer

@DalJeanis , Please advice if you have any feedback for my previous post.

0 Karma
Highlighted

Re: Percentage for the daily stats

Explorer

Any other suggestions from anyone else ?

0 Karma