Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show percentage of total by buckets

cosullivan66
Explorer
‎02-04-2013 11:12 AM

I'm evaluating a variable called lengthofpayload. I want to separate it into 10 buckets: 0-1000, 1000-2000, etc. Each bucket has a number of events in it, and I want to find the percent of the total events found in that time window each bucket holds. For example, if I wanted to find the number of events and how their payload lengths are distributed in the last 24 hours, it'd look like this:

6,000 events found  
lengthofpayload             percentage  
0-1000 16%  
1000-2000                   40%  
2000-3000                   20%

I found this link to something similar, but I don't want a timechart in the end: http://splunk-base.splunk.com/answers/27590/charting-percentage-of-a-total-over-time

This is the code I'm using and I think it's close but it doesn't work. It prints nothing out for the first(percentage) variable. 

sourcetype="dbmon:kv" |  
search EVENTTYPE="ScreenSharingEvent" |   
eval lengthofpayload=len(PAYLOAD) |  
bucket lengthofpayload bins=10 |  
eventstats count as total by length of payload |  
stats count first(total) as total by lengthofpayload |  
eval percent=(count/total)*100 |  
chart first(percent) by lengthofpayload

Thanks in advance for help/suggestions!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-04-2013 01:22 PM

You can use | top: it will give you the distribution # and % of results grouped by the value of a field. 

sourcetype="dbmon:kv" 
| search EVENTTYPE="ScreenSharingEvent"
| eval lengthofpayload=len(PAYLOAD)
| bucket lengthofpayload bins=10
| top lengthofpayload

View solution in original post

Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-04-2013 01:22 PM

You can use | top: it will give you the distribution # and % of results grouped by the value of a field. 

sourcetype="dbmon:kv" 
| search EVENTTYPE="ScreenSharingEvent"
| eval lengthofpayload=len(PAYLOAD)
| bucket lengthofpayload bins=10
| top lengthofpayload
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎02-04-2013 01:55 PM

| top showcount=false lengthofpayload

Reply
Solved! Jump to solution

cosullivan66
Explorer
‎02-04-2013 01:52 PM

I'd like it to display % without #. Do you know how to delete the # column?

0 Karma
Reply
Solved! Jump to solution

cosullivan66
Explorer
‎02-04-2013 01:49 PM

Ah this is so obvious now. Thanks so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...