Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Top to a sum

jrodriguezap
Contributor
‎09-30-2013 05:59 PM

Hello!
I try to make the sum of a field, but then need to get the percentage occupied by each of the first 4, and% occupying all others, ie get something like this:

**Service**    **SumMB**        **percent**
  HHTP            90               25.71
  HTTPS           85               22.45
  DNS             81               21.09
  SMTP            70               16.90
  Otros           23               13.85

I tried something like this, but that would be missing something but, as you could?

SEARCH | stats sum(MB) AS SumMB by service | top SumMB otherstr="Others"

Thank you for your attention.
:)

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎09-30-2013 10:07 PM

"Others" is displayed if I assume it "useother=true". However, I think that this isn't the result that you expect.

SEARCH | stats sum(MB) AS SumMB by service | top SumMB useother=true otherstr="Others"

I think that it is necessary to calculate percent by oneself.

For example
SEARCH | stats sum(MB) AS SumMB by service |sort - SumMB|eval id=1|accum id|eval Service=if(id<=4,service,"OTHER")|stats sum(SumMB) as SumMB by Service|addcoltotals labelfield=Service label=ALL|sort - SumMB|eval Total=IF(Service="ALL",SumMB,0)|accum Total|WHERE Service!="ALL"|eval percent=SumMB/Total*100|fields - Total

comment

|sort - SumMB|eval id=1|accum id|eval Service=if(id<=4,service,"OTHER")|->extract TOP4 and "OTHER"
|addcoltotals labelfield=Service label=ALL|sort - SumMB|eval Total=IF(Service="ALL",SumMB,0)|accum Total|WHERE Service!="ALL"|->Calculation of the total

When there is little number, you may demand total by a subsearch.

View solution in original post

Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎09-30-2013 10:07 PM

"Others" is displayed if I assume it "useother=true". However, I think that this isn't the result that you expect.

SEARCH | stats sum(MB) AS SumMB by service | top SumMB useother=true otherstr="Others"

I think that it is necessary to calculate percent by oneself.

For example
SEARCH | stats sum(MB) AS SumMB by service |sort - SumMB|eval id=1|accum id|eval Service=if(id<=4,service,"OTHER")|stats sum(SumMB) as SumMB by Service|addcoltotals labelfield=Service label=ALL|sort - SumMB|eval Total=IF(Service="ALL",SumMB,0)|accum Total|WHERE Service!="ALL"|eval percent=SumMB/Total*100|fields - Total

comment

|sort - SumMB|eval id=1|accum id|eval Service=if(id<=4,service,"OTHER")|->extract TOP4 and "OTHER"
|addcoltotals labelfield=Service label=ALL|sort - SumMB|eval Total=IF(Service="ALL",SumMB,0)|accum Total|WHERE Service!="ALL"|->Calculation of the total

When there is little number, you may demand total by a subsearch.

Reply
Solved! Jump to solution

jrodriguezap
Contributor
‎10-01-2013 11:05 AM

Your response and your logic are excellent!
Thank you very much HiroshiSatoh!

0 Karma
Reply
Solved! Jump to solution

jrodriguezap
Contributor
‎09-30-2013 06:44 PM

Sorry for the confusion, but the result I'm trying to get is the one show as a table. I hope you understand.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎09-30-2013 06:13 PM

In your question you ask for the sum of the first 4 with a percent, and then a percent of the others, but in your example you show the sum and percent for all 5. Your goal is not clear.
The question: "I tried something like this, but that would be missing something but, as you could?" does not compute. Can you review this question, please.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...