Splunk Search

Using top to get count and percentage by subgroup

mschellhouse
Path Finder

I am using the following code to get a count and percentage breakdown by x and y. I would like the percent returned to be within the subgroup of x rather than percent of the total population.

top limit=0 x y

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

your base search | stats count by x y | eventstats sum(count) as total by x | eval perc=count*100/total | sort 0 host -count

View solution in original post

somesoni2
Revered Legend

Try like this

your base search | stats count by x y | eventstats sum(count) as total by x | eval perc=count*100/total | sort 0 host -count
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...