- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search not calculating percentages when a join...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All - I have what I originally thought was a simple problem. I needed to calculate a percentage from two values in a row.
For example, my current output looks like
Repeat Phish Campaign Total_Emails E-Mails_clicked percentage
2 1000 100
4 2000 400
6 3000 1500
I can't seem to get the search to calculate the percentage between the total and clicked emails. Here is the current search that generates the above output.
sourcetype=phishing_recipients repeat
| stats count as phishingRcvd by campID
| join type=outer max=0 campID [search sourcetype=phishing_clickers]
| stats first(phishingRcvd) as Total_E-mails_Sent, count(userID) as E-Mails_Clicked by campID
| eval percentage = E-Mails_Clicked * 100 / Total_E-mails_Sent
| rename campID as "Repeat Phish Campaign"
| table "Repeat Phish Campaign", Total_E-mails_Sent, E-Mails_Clicked, percentage
I am raising the white flag on this one...
Thanks! Mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should work.
... | eval perc = email_clicked / total_email * 100
If you are not getting any results at all for the percentage, I would recommend you to rename your fields, so that they do not contain hyphens, i.e. Total_E_mails_Sent instead of Total_E-mails_sent etc..
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should work.
... | eval perc = email_clicked / total_email * 100
If you are not getting any results at all for the percentage, I would recommend you to rename your fields, so that they do not contain hyphens, i.e. Total_E_mails_Sent instead of Total_E-mails_sent etc..
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup - great call. Splunk did not like the underscore in the field names. 3 hours of my life I won't get back 😉 Thanks! Mike
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
