Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stats count as a percentage as the total?

christopherutz
Path Finder
‎12-07-2010 08:54 PM

I have a search which I am using stats to generate a data grid. Something to the affect of

Choice1 10
Choice2 50
Choice3 100
Choice4 40

I would now like to add a third column that is the percentage of the overall count. So something like

Choice1 10 .05
Choice2 50 .25
Choice3 100 .50
Choice4 40  .20

I suspect I need to use a subsearch for this because each row now depends on the total count but I am not exactly sure how to accomplish this. Any help would be greatly appreciated.

Labels (1)
Labels
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎12-07-2010 08:59 PM

You can do this without a subsearch - take a look at the eventstats command.

View solution in original post

Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎12-07-2010 08:59 PM

You can do this without a subsearch - take a look at the eventstats command.

Reply
Solved! Jump to solution

acdevlin
Communicator
‎08-18-2011 02:23 PM

For the earlier question, you could probably do something like this: 

... | eventstats count as "totalCount" | eventstats count as "choiceCount" by choice  | eval percent=(choiceCount/totalCount)*100 | stats values(choiceCount), values(percent) by choice

Usually, you can avoid eventstats altogether and just use the "top" command (http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/Top ) like so:

... | top choice limit=0
Reply
Solved! Jump to solution

haraksin
Path Finder
‎03-17-2021 01:39 PM

In addition to this, in order to avoid using multiple stats stanzas, I use this type of structure with a stats then an eval:

| search (message="Polling" OR message="No data" OR message="503" OR message="Pushing") 
| timechart count(eval(message="Polling")) as Total_Polls count(eval(message="No data")) as Dataless_Polls count(eval(message="503")) as Error_Polls count(eval(message="Pushing")) as Successful_Polls 
| eval Percent_Successful=(((Successful_Polls)/Total_Polls)*100) 
| fields _time Percent_Successful

This allows you to just compute one stats function and then evaluate any combination of percentages across your dataset. Of course this is a timechart, so you can just replace this with stats to get the desired functionality.

Reply
Solved! Jump to solution

raoul
Path Finder
‎08-18-2011 08:40 AM

Maybe I am being dense, but the eventstats documentation is baffling and I cannot get it to calculate percentages as asked in the question.

Any chance of a worked example?

Reply
Solved! Jump to solution

klaurea
Engager
‎10-28-2022 03:19 PM

The  "top" example worked for me instead. eventstats didn't make sense

0 Karma
Reply
Solved! Jump to solution

christopherutz
Path Finder
‎12-07-2010 10:18 PM

Thanks, this is exactly what I needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...