Splunk Search
Highlighted

Query to calculate the total count and percentage

Explorer

Hi,
I have below query and its working fine.

sourcetype="mylogs" | fields QTime |eval QTimes = case(QTime<50, "0-50ms", QTime<100, "50-100ms", QTime<150 , "100-150ms") | chart count by QTimes
Its displaying me the count of each range QTime<50,QTime<100,QTime<150 in seperate rows with corresponding count. I want to modify the query to add the total count(sum of all 3 ranges) and corresponding percentage in each row.

Please help me in resolving it.

Tags (2)
0 Karma
Highlighted

Re: Query to calculate the total count and percentage

Ultra Champion

instead of the chart at the end, try;

... | top QTimes | addcoltotals labelfield=QTimes label=Total

/K

Hmm, weird, but addcoltotals does not seem to work at my end. Or rather the labelfield does not. If the values in the column you want to use for the label are numeric, it seems that you'll get the total for them, instead of the label..


UPDATE:

No, addcoltotals works perfectly fine, it's just that if the values in the column that you want to use for the label (typically where it says "Total" at the bottom) is numeric (dec or hex at least) the total for that column will be calculated as well, and the label will not overwrite that.

The only thing is to ensure that the values cannot be summed, i.e. by adding some non-computable string to them. In your case you seem to have already done that, since 0-50ms cannot be added to 51-100ms

FYI I tested this with web logs with the standard (numeric) status codes (200, 404 etc). With an eval status=status."ms" before top every thing computed nicely for the count and percentage.

/K

0 Karma
Highlighted

Re: Query to calculate the total count and percentage

Explorer

Hi, this option is not working at my end too. Do you have any other idea ?

0 Karma
Highlighted

Re: Query to calculate the total count and percentage

Ultra Champion

see update

0 Karma