Percentage of value combinations in the dataset

CarbonCriterium · ‎07-31-2020

Hello,

I am looking to figure out the percentage of times certain value combinations appear in the data. The field I am looking to construct in the sample below is "combo."

Field1	Field2	combo
A	Y	10
A	Z	20
B	Y	20
B	Z	40
C	Z	10

In the sample the A value appears in 30% of all events, Y appears in 30% of all events, and the combination of AY appears in 10% of all events. Pieces of the following code have worked by themselves but not together.

... | stats count by Field1 Field2 as combo | eventstats sum(count) as total | eval perc=(combo/total)

thambisetty · ‎07-31-2020

You can simply use top command:

| top 10 field1,filed2

10 gives - top 10 combinations with percentage from field1, field2

if you want to get % for all such combinations in your dataset use limit=0

| top limit=0 field1,filed2

————————————
If this helps, give a like below.

CarbonCriterium · ‎07-31-2020

That produces a result but it doesn't help me very much. I need to perform this function on all the events in the dateset and use the percentage later in another function.

Can you tell me how to find the percentage for all events and save the result?

to4kawa · ‎07-31-2020

| makeresults
| eval _raw="Field1	Field2	combo
A	Y	10
A	Z	20
B	Y	20
B	Z	40
C	Z	10"
| multikv forceheader=1
| table Field1	Field2	combo

| rename COMMENT as "this is logic"
| eval Field3=Field1.Field2
| untable combo name Fields
| eventstats sum(eval(if(name="Field3",combo,NULL))) as total
| stats sum(combo) as count max(total) as total by Fields
| eval perc=count/total * 100

Percentage of value combinations in the dataset

stats

table

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes