Splunk Search

## Top percentage from stats output?

Path Finder

I've got a search which returns a simple table like this one:

```clean    61234
cleaned     22
infected   173
spam     87134
```

I'd like to calculate percentages from these results. I don't seem to be able to eval total=sum(count) to then perform arbitrary math, and top gives a count of one for each item, so they're all at 25%.

Tags (2)
1 Solution
SplunkTrust

you can use the eventstats command to do this. Eventstats is a very unusual command but it was added to do things like this, where you want statistics about the entire search results but you want those statistics available as fields on each event.

`eventstats sum(count) as total` will take the sum of all the count fields across all the rows in the set, and add that as a `total` field on each event

So the desired end goal is:

`<your search> | eventstats sum(count) as total | eval percent=100*count/total | strcat percent "%" percent`

Splunk Employee

Hi smisplunk. If you're seeing top report 25% for each of these values

clean 61234
cleaned 22
infected 173
spam 87134

then you may be piping to top after another summary operation.

If I perform a search

``````* | stats count by sourcetype | top sourcetype
``````

It will show me that each sourcetype has an equal share (due to summary operation rolling-up the count for all sourcetypes to 1)

sourcetype     count     percent
test-too_small     1     33.333333
new-too_small     1     33.333333

We need to drop the previous summary operation to let top work its magic

``````* | top sourcetype
``````

That will return the percentage value pre-aggregation (notice the counts for each are now 8, 3, and 1 instead of ones)

sourcetype     count     percent
new-too_small     3     25.000000
test-too_small     1     8.333333

Nick's (above) suggestion, 4TW:

``````* | stats count by sourcetype | eventstats sum(count) as total | eval percent=100*count/total | strcat percent "%" percent
``````

sourcetype     count     percent          total
new-too_small    3     25%                 12
test-too_small     1     8.333333%      12

SplunkTrust

you can use the eventstats command to do this. Eventstats is a very unusual command but it was added to do things like this, where you want statistics about the entire search results but you want those statistics available as fields on each event.

`eventstats sum(count) as total` will take the sum of all the count fields across all the rows in the set, and add that as a `total` field on each event

So the desired end goal is:

`<your search> | eventstats sum(count) as total | eval percent=100*count/total | strcat percent "%" percent`

Engager

Instead of strcat, it is better to use fieldformat like this: | fieldformat percent=percent+"%"

SplunkTrust

Use the 'top' search operator, which will include the percentages.

http://www.splunk.com/base/Documentation/4.1.2/SearchReference/Top

Get Updates on the Splunk Community!

#### Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

#### There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...