Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Percentage of counts (view through rates)

kramsay
Engager
‎01-09-2014 07:42 AM

I am looking to get percentages into a table.

I have 2 separate searches that count different events. I will like to combine the different searches into one table where the event count searches divide by the counts of the other search.

For example. If one search has a count of 50 and the other search has a count of 90. I will like a to create a table that shows 50/90= 55%.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-09-2014 08:13 AM

Try something like this.

<your first search | stats count(blah) as count_first> | appendcols [search <your send search | stats count(blahblah) as count second >] | eval perc=round(count_first*100/count_second,2)

Updated query per your example

index=www VTR=100 OR VTR=50| stats count(eval(VTR=100)) as Count100, count(eval(VTR=50)) as Count50 | eval percentage=(Count100/Count50)*100

View solution in original post

Reply
Solved! Jump to solution

kramsay
Engager
‎01-09-2014 12:01 PM

Here is a sample search:

Search 1
index=www VTR=100 | stats count(VTR)

Search 2
index=www VTR=50 | stats count(VTR)

Thanks.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎01-09-2014 09:27 AM

Can you post a sample search? It can probably be done without using appends (which are inefficient)

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-09-2014 08:13 AM

Try something like this.

<your first search | stats count(blah) as count_first> | appendcols [search <your send search | stats count(blahblah) as count second >] | eval perc=round(count_first*100/count_second,2)

Updated query per your example

index=www VTR=100 OR VTR=50| stats count(eval(VTR=100)) as Count100, count(eval(VTR=50)) as Count50 | eval percentage=(Count100/Count50)*100
Reply
Solved! Jump to solution

kramsay
Engager
‎01-09-2014 02:50 PM

Thanks so much that worked like a charm

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-09-2014 01:17 PM

Ohh my bad. "<" was just used as placeholder for your search string. see updated answer per your example.

0 Karma
Reply
Solved! Jump to solution

kramsay
Engager
‎01-09-2014 12:09 PM

I tried the following:

| appendcols [search ] | eval perc=round(count_first*100/count_second,2)

but i am getting the following error.

Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left hand side.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...