Splunk Search

Stats count as a percentage as the total?

christopherutz
Path Finder

I have a search which I am using stats to generate a data grid. Something to the affect of

Choice1 10
Choice2 50
Choice3 100
Choice4 40

I would now like to add a third column that is the percentage of the overall count. So something like

Choice1 10 .05
Choice2 50 .25
Choice3 100 .50
Choice4 40  .20

I suspect I need to use a subsearch for this because each row now depends on the total count but I am not exactly sure how to accomplish this. Any help would be greatly appreciated.

Labels (1)
Tags (3)
1 Solution

southeringtonp
Motivator

You can do this without a subsearch - take a look at the eventstats command.

View solution in original post

southeringtonp
Motivator

You can do this without a subsearch - take a look at the eventstats command.

acdevlin
Communicator

For the earlier question, you could probably do something like this:

... | eventstats count as "totalCount" | eventstats count as "choiceCount" by choice  | eval percent=(choiceCount/totalCount)*100 | stats values(choiceCount), values(percent) by choice

Usually, you can avoid eventstats altogether and just use the "top" command (http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/Top ) like so:

... | top choice limit=0

haraksin
Path Finder

In addition to this, in order to avoid using multiple stats stanzas, I use this type of structure with a stats then an eval:

| search (message="Polling" OR message="No data" OR message="503" OR message="Pushing") 
| timechart count(eval(message="Polling")) as Total_Polls count(eval(message="No data")) as Dataless_Polls count(eval(message="503")) as Error_Polls count(eval(message="Pushing")) as Successful_Polls 
| eval Percent_Successful=(((Successful_Polls)/Total_Polls)*100) 
| fields _time Percent_Successful

This allows you to just compute one stats function and then evaluate any combination of percentages across your dataset. Of course this is a timechart, so you can just replace this with stats to get the desired functionality.

raoul
Path Finder

Maybe I am being dense, but the eventstats documentation is baffling and I cannot get it to calculate percentages as asked in the question.

Any chance of a worked example?

klaurea
Engager

The  "top" example worked for me instead. eventstats didn't make sense

0 Karma

christopherutz
Path Finder

Thanks, this is exactly what I needed.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...