Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show percentage of total by buckets

cosullivan66
Explorer
‎02-04-2013 11:12 AM

I'm evaluating a variable called lengthofpayload. I want to separate it into 10 buckets: 0-1000, 1000-2000, etc. Each bucket has a number of events in it, and I want to find the percent of the total events found in that time window each bucket holds. For example, if I wanted to find the number of events and how their payload lengths are distributed in the last 24 hours, it'd look like this:

6,000 events found  
lengthofpayload             percentage  
0-1000 16%  
1000-2000                   40%  
2000-3000                   20%

I found this link to something similar, but I don't want a timechart in the end: http://splunk-base.splunk.com/answers/27590/charting-percentage-of-a-total-over-time

This is the code I'm using and I think it's close but it doesn't work. It prints nothing out for the first(percentage) variable. 

sourcetype="dbmon:kv" |  
search EVENTTYPE="ScreenSharingEvent" |   
eval lengthofpayload=len(PAYLOAD) |  
bucket lengthofpayload bins=10 |  
eventstats count as total by length of payload |  
stats count first(total) as total by lengthofpayload |  
eval percent=(count/total)*100 |  
chart first(percent) by lengthofpayload

Thanks in advance for help/suggestions!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-04-2013 01:22 PM

You can use | top: it will give you the distribution # and % of results grouped by the value of a field. 

sourcetype="dbmon:kv" 
| search EVENTTYPE="ScreenSharingEvent"
| eval lengthofpayload=len(PAYLOAD)
| bucket lengthofpayload bins=10
| top lengthofpayload

View solution in original post

Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-04-2013 01:22 PM

You can use | top: it will give you the distribution # and % of results grouped by the value of a field. 

sourcetype="dbmon:kv" 
| search EVENTTYPE="ScreenSharingEvent"
| eval lengthofpayload=len(PAYLOAD)
| bucket lengthofpayload bins=10
| top lengthofpayload
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎02-04-2013 01:55 PM

| top showcount=false lengthofpayload

Reply
Solved! Jump to solution

cosullivan66
Explorer
‎02-04-2013 01:52 PM

I'd like it to display % without #. Do you know how to delete the # column?

0 Karma
Reply
Solved! Jump to solution

cosullivan66
Explorer
‎02-04-2013 01:49 PM

Ah this is so obvious now. Thanks so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...