Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Percentages display
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Percentages display
If I want to display percentages as well as a count for a table and I want the percentages out of the total count of the table, how do I display that?
|multisearch [search index = blah sourcetype="blah" host=blah | tstats count WHERE index = blah sourcetype="blah" host=blah earliest=@mon
| eval earliest=if(cou... OR ("NAME"="blah") | eval Coast ="EastCoast"]
[search index = blah sourcetype="blah " host=blah
| tstats count WHERE index = blah sourcetype="blah " host=blah earliest=@mon
| eval earliest=if(cou...
OR ("NAME"="blah *") | eval Coast ="WestCoast"]| dedup HOST.IP |stats count(blah) as NumberOfIPs by Coast
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
|multisearch [search index = blah sourcetype="blah" host=blah [| tstats count WHERE index = blah sourcetype="blah" host=blah earliest=@mon
| eval earliest=if(count=0,"-1mon@mon","@mon") | table earliest ]
("NAME"="blah_*") OR ("NAME"="blah") | eval Coast ="EastCoast"]
[search index = blah sourcetype="blah " host=blah
[| tstats count WHERE index = blah sourcetype="blah " host=blah earliest=@mon
| eval earliest=if(count=0,"-1mon@mon","@mon")
| table earliest ]
("NAME"="blah _*") OR ("NAME"="blah *") | eval Coast ="WestCoast"]| dedup HOST.IP |stats count(blah) as NumberOfIPs by Coast
| eventstats sum(NumberOfIPs) as Total
| eval Percentage=round(NumberOfIPs*100/Total,2)
| fields - Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could use |top otherwise you'll have to do some math.
|stats count(_raw) as total
|stats count(x) by x as foo
|eval perc = ((foo / total)*100) + "%"
http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Top
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
