I'm hoping someone can help me out here. I'm looking to create a simple table that displays a column for "count" and another for "Percentage of total". For some reason splunk is not recognizing the total field within the denominator of my eval command. Any suggestions on how to append this?
index=ABC sourcetype="ABC" "EVNT=SWIendcall" |stats count by OUTCOME | addtotals row=f col=t labelfield=OUTCOME |eval Percentage=ROUND((count/Total)*100,1)
Splunk generally works on a pipeline of events so the total has to be a field in each event. Try something like this.
index=ABC sourcetype="ABC" "EVNT=SWIendcall" |stats count by OUTCOME
| eventstats sum(count) as Total
| eval Percentage=ROUND((count/Total)*100,1)
| addtotals row=f col=t labelfield=OUTCOME