Solved: Top percentage out of total events

Yancy · ‎02-14-2013

When using the fields sidebar, I can see how often a field appears out of my total result set (ie Appears in 62% of results), and how often the top values of that field appear in the results.

When I use the top command, I can see how often these values appear out of the total number of events that contain that field.

How can I obtain statistics similar how the field sidebar presents them, as a percentage of the total result set?

In my use case I have UserAgent split out to multiple fields and want to know what are the top UserAgents across our total traffic.

Ron_Naken · ‎02-14-2013

Here are a couple working options to help with ideas (replace ... with your search):

... | eventstats count AS total | stats first(total) AS total count AS c by UserAgent | eval  perc=(c/total)*100 | fields - total | sort - perc | head 10

or

... | eventstats count AS total | chart eval(count/first(total)) AS perc BY UserAgent | sort - perc

View solution in original post

Ron_Naken · ‎02-14-2013

Here are a couple working options to help with ideas (replace ... with your search):

... | eventstats count AS total | stats first(total) AS total count AS c by UserAgent | eval  perc=(c/total)*100 | fields - total | sort - perc | head 10

or

... | eventstats count AS total | chart eval(count/first(total)) AS perc BY UserAgent | sort - perc

Top percentage out of total events

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7