Solved: Percentage of search field by day

Mick_OBrien · ‎10-30-2024

Hi All

I have a search string ...

index="ee_apigee" vhost="rbs" uri="/eforms/v1.0/cb/*"
| rex "(?i) .*?=\"(?P<httpstatus>\d+)(?=\")"
| bucket _time span=day
| stats count by _time, httpstatus
| eventstats sum(count) as total
| eval percent = (count/total)*100 . " %"
| fields - total

...whose percent field is showing a percentage over entire period searched and not just the 'day'. How can above be modified to give percentage per day for each httpstatus?

Mick_OBrien · ‎10-30-2024

Found an example and this seems to work...

index="ee_apigee" vhost="rbs" uri="/eforms/v1.0/cb/*"
| rex "(?i) .*?=\"(?P<httpstatus>\d+)(?=\")"
| bucket _time span=day
| stats count by _time, httpstatus
| eventstats sum(count) as totalCount by _time
| eval percentage = round((count/totalCount)*100,3) . " %"
| table _time httpstatus count percentage

View solution in original post

Mick_OBrien · ‎10-30-2024

Found an example and this seems to work...

index="ee_apigee" vhost="rbs" uri="/eforms/v1.0/cb/*"
| rex "(?i) .*?=\"(?P<httpstatus>\d+)(?=\")"
| bucket _time span=day
| stats count by _time, httpstatus
| eventstats sum(count) as totalCount by _time
| eval percentage = round((count/totalCount)*100,3) . " %"
| table _time httpstatus count percentage

Percentage of search field by day

count

stats

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation