Solved: Percentage of overall volume with timechart comman...

tmurray3 · ‎12-16-2014

I am trying to create a report to display the top 5 clients by total volume and their percentage of total volume from a summary index.

Currently, I am reporting top 5 clients by total volume. Here is my query:

index=client_volume_hourly_summary report="keyvolumebyhour" | timechart limit=5 span=1h sum(count)  by clientkey

    _time   c1  client2     OTHER   client3 client4 client5
1   12/15/14 12:00:00.000 AM    587556  184696  989182  1204554 1616047 1100108
2   12/16/14 12:00:00.000 AM    11343   28820   366656  74062   573534  100928

Since the index summary was not created with the sitop command, is there another way to calculate the top 5 clients which displays volume by clientkey and total percentage of overall volume by clientkey?

Thanks in advance for your help!!!

tmurray3 · ‎12-16-2014

Here is the query I used to solve the problem:

index=client_volume_hourly_summary report="keyvolumebyhour" | timechart span=1d sum(count) by clientkey limit=5| untable _time clientkey count|eventstats sum(count) as Total by _time|eval keypercent=round(count*100/Total,2)| table _time,clientkey keypercent | xyseries _time clientkey keypercent

View solution in original post

tmurray3 · ‎12-16-2014

Here is the query I used to solve the problem:

index=client_volume_hourly_summary report="keyvolumebyhour" | timechart span=1d sum(count) by clientkey limit=5| untable _time clientkey count|eventstats sum(count) as Total by _time|eval keypercent=round(count*100/Total,2)| table _time,clientkey keypercent | xyseries _time clientkey keypercent

Percentage of overall volume with timechart command

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...