Splunk Search

Query to calculate the total count and percentage

Jiten009
Explorer

Hi,
I have below query and its working fine.

sourcetype="mylogs" | fields QTime |eval QTimes = case(QTime<50, "0-50ms", QTime<100, "50-100ms", QTime<150 , "100-150ms") | chart count by QTimes
Its displaying me the count of each range QTime<50,QTime<100,QTime<150 in seperate rows with corresponding count. I want to modify the query to add the total count(sum of all 3 ranges) and corresponding percentage in each row.

Please help me in resolving it.

Tags (2)
0 Karma

kristian_kolb
Ultra Champion

instead of the chart at the end, try;

... | top QTimes | addcoltotals labelfield=QTimes label=Total

/K

Hmm, weird, but addcoltotals does not seem to work at my end. Or rather the labelfield does not. If the values in the column you want to use for the label are numeric, it seems that you'll get the total for them, instead of the label..


UPDATE:

No, addcoltotals works perfectly fine, it's just that if the values in the column that you want to use for the label (typically where it says "Total" at the bottom) is numeric (dec or hex at least) the total for that column will be calculated as well, and the label will not overwrite that.

The only thing is to ensure that the values cannot be summed, i.e. by adding some non-computable string to them. In your case you seem to have already done that, since 0-50ms cannot be added to 51-100ms

FYI I tested this with web logs with the standard (numeric) status codes (200, 404 etc). With an eval status=status."ms" before top every thing computed nicely for the count and percentage.

/K

0 Karma

kristian_kolb
Ultra Champion

see update

0 Karma

Jiten009
Explorer

Hi, this option is not working at my end too. Do you have any other idea ?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...