Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stats count as a percentage as the total?

christopherutz
Path Finder
‎12-07-2010 08:54 PM

I have a search which I am using stats to generate a data grid. Something to the affect of

Choice1 10
Choice2 50
Choice3 100
Choice4 40

I would now like to add a third column that is the percentage of the overall count. So something like

Choice1 10 .05
Choice2 50 .25
Choice3 100 .50
Choice4 40  .20

I suspect I need to use a subsearch for this because each row now depends on the total count but I am not exactly sure how to accomplish this. Any help would be greatly appreciated.

Labels (1)
Labels
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎12-07-2010 08:59 PM

You can do this without a subsearch - take a look at the eventstats command.

View solution in original post

Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎12-07-2010 08:59 PM

You can do this without a subsearch - take a look at the eventstats command.

Reply
Solved! Jump to solution

acdevlin
Communicator
‎08-18-2011 02:23 PM

For the earlier question, you could probably do something like this: 

... | eventstats count as "totalCount" | eventstats count as "choiceCount" by choice  | eval percent=(choiceCount/totalCount)*100 | stats values(choiceCount), values(percent) by choice

Usually, you can avoid eventstats altogether and just use the "top" command (http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/Top ) like so:

... | top choice limit=0
Reply
Solved! Jump to solution

haraksin
Communicator
‎03-17-2021 01:39 PM

In addition to this, in order to avoid using multiple stats stanzas, I use this type of structure with a stats then an eval:

| search (message="Polling" OR message="No data" OR message="503" OR message="Pushing") 
| timechart count(eval(message="Polling")) as Total_Polls count(eval(message="No data")) as Dataless_Polls count(eval(message="503")) as Error_Polls count(eval(message="Pushing")) as Successful_Polls 
| eval Percent_Successful=(((Successful_Polls)/Total_Polls)*100) 
| fields _time Percent_Successful

This allows you to just compute one stats function and then evaluate any combination of percentages across your dataset. Of course this is a timechart, so you can just replace this with stats to get the desired functionality.

Reply
Solved! Jump to solution

raoul
Path Finder
‎08-18-2011 08:40 AM

Maybe I am being dense, but the eventstats documentation is baffling and I cannot get it to calculate percentages as asked in the question.

Any chance of a worked example?

Reply
Solved! Jump to solution

klaurea
Engager
‎10-28-2022 03:19 PM

The  "top" example worked for me instead. eventstats didn't make sense

0 Karma
Reply
Solved! Jump to solution

christopherutz
Path Finder
‎12-07-2010 10:18 PM

Thanks, this is exactly what I needed.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...