Solved: Percentage of search field by day

Mick_OBrien · ‎10-30-2024

Hi All

I have a search string ...

index="ee_apigee" vhost="rbs" uri="/eforms/v1.0/cb/*"
| rex "(?i) .*?=\"(?P<httpstatus>\d+)(?=\")"
| bucket _time span=day
| stats count by _time, httpstatus
| eventstats sum(count) as total
| eval percent = (count/total)*100 . " %"
| fields - total

...whose percent field is showing a percentage over entire period searched and not just the 'day'. How can above be modified to give percentage per day for each httpstatus?

Mick_OBrien · ‎10-30-2024

Found an example and this seems to work...

index="ee_apigee" vhost="rbs" uri="/eforms/v1.0/cb/*"
| rex "(?i) .*?=\"(?P<httpstatus>\d+)(?=\")"
| bucket _time span=day
| stats count by _time, httpstatus
| eventstats sum(count) as totalCount by _time
| eval percentage = round((count/totalCount)*100,3) . " %"
| table _time httpstatus count percentage

View solution in original post

Mick_OBrien · ‎10-30-2024

Found an example and this seems to work...

index="ee_apigee" vhost="rbs" uri="/eforms/v1.0/cb/*"
| rex "(?i) .*?=\"(?P<httpstatus>\d+)(?=\")"
| bucket _time span=day
| stats count by _time, httpstatus
| eventstats sum(count) as totalCount by _time
| eval percentage = round((count/totalCount)*100,3) . " %"
| table _time httpstatus count percentage

Percentage of search field by day

count

stats

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

.conf25 Global Broadcast: Don’t Miss a Moment

Are you a member of the Splunk Community?