Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Percentage of value combinations in the dataset

CarbonCriterium
Path Finder
‎07-31-2020 11:16 AM

Hello,

I am looking to figure out the percentage of times certain value combinations appear in the data.   The field I am looking to construct in the sample below is "combo."

Field1Field2combo
AY10
AZ20
BY20
BZ40
CZ10


In the sample the A value appears in 30% of all events, Y appears in 30% of all events, and the combination of AY appears in 10% of all events.  Pieces of the following code have worked by themselves but not together. 

... | stats count by Field1 Field2 as combo | eventstats sum(count) as total | eval perc=(combo/total)

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎07-31-2020 12:15 PM

You can simply use top command:

 

| top 10 field1,filed2 

 

10 gives - top 10 combinations with percentage from field1, field2

if you want to get % for all such combinations in your dataset use limit=0

 

| top limit=0 field1,filed2

————————————
If this helps, give a like below.
0 Karma
Reply

CarbonCriterium
Path Finder
‎07-31-2020 12:56 PM

That produces a result but it doesn't help me very much.  I need to perform this function on all the events in the dateset and use the percentage later in another function. 

Can you tell me how to find the percentage for all events and save the result?

0 Karma
Reply

to4kawa
Ultra Champion
‎07-31-2020 04:34 PM 
| makeresults
| eval _raw="Field1	Field2	combo
A	Y	10
A	Z	20
B	Y	20
B	Z	40
C	Z	10"
| multikv forceheader=1
| table Field1	Field2	combo

| rename COMMENT as "this is logic"
| eval Field3=Field1.Field2
| untable combo name Fields
| eventstats sum(eval(if(name="Field3",combo,NULL))) as total
| stats sum(combo) as count max(total) as total by Fields
| eval perc=count/total * 100
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...