Re: Query to calculate the total count and percent...

Jiten009 · ‎04-05-2013

Hi,
I have below query and its working fine.

sourcetype="mylogs" | fields QTime |eval QTimes = case(QTime<50, "0-50ms", QTime<100, "50-100ms", QTime<150 , "100-150ms") | chart count by QTimes
Its displaying me the count of each range QTime<50,QTime<100,QTime<150 in seperate rows with corresponding count. I want to modify the query to add the total count(sum of all 3 ranges) and corresponding percentage in each row.

Please help me in resolving it.

kristian_kolb · ‎04-05-2013

instead of the chart at the end, try;

... | top QTimes | addcoltotals labelfield=QTimes label=Total

/K

Hmm, weird, but addcoltotals does not seem to work at my end. Or rather the labelfield does not. If the values in the column you want to use for the label are numeric, it seems that you'll get the total for them, instead of the label..

UPDATE:

No, addcoltotals works perfectly fine, it's just that if the values in the column that you want to use for the label (typically where it says "Total" at the bottom) is numeric (dec or hex at least) the total for that column will be calculated as well, and the label will not overwrite that.

The only thing is to ensure that the values cannot be summed, i.e. by adding some non-computable string to them. In your case you seem to have already done that, since 0-50ms cannot be added to 51-100ms

FYI I tested this with web logs with the standard (numeric) status codes (200, 404 etc). With an eval status=status."ms" before top every thing computed nicely for the count and percentage.

/K

kristian_kolb · ‎04-07-2013

see update

Jiten009 · ‎04-05-2013

Hi, this option is not working at my end too. Do you have any other idea ?

Query to calculate the total count and percentage

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!