Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Stats as Percentages Of Total
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stats as Percentages Of Total
Hi,
I have a search like this:
search... | fields + user, country| stats dc(user) AS Users by country | sort - Users
The result is a table like this:
Country A - 1000
Country B - 500
Country C - 500
Is there an easy way to display the share per country in %?
Country A - 50
Country B - 25
Country C - 25
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The corrected query is:
search... | fields + user, country| eventstats dc(user) as totalcount | stats dc(user) AS Users by country, totalcount | eval countrypercent=Users/totalcount*100 | sort - Users
The problem with the original query is that it didn't pass totalcount in the stats statement.
So the percentage could not be calculated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can calculate a total distinct count and then divide your Users value by this to get a percentage.
search... | fields + user, country| eventstats dc(user) as totalcount | stats dc(user) AS Users by country | eval countrypercent=Users/totalcount*100 | sort - Users
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because refined query in later post solves the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like this now:
search...| fields + user
| eventstats dc(user) as totalcount
| stats dc(user) AS Users by Country
| eval countrypercent=Users/totalcount*100
This results in the original table including the total counts per Country. I also tried out to find the entries for totalcount with "| table totalcount". But there are no results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Neither eventstats nor eval filter events in any way so I suspect you're doing some other error. What does your search look like now?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
i tried this out, but Splunk tells me "no results found" after adding the eventstats & eval command.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
