Splunk Search

View percentage with count

jonydupre
Path Finder

Hi all,

I'm pretty new to Splunk and I'm trying out different things to challange myself. I completed the fundementals 1 course and started testing on some Linux systems. I'm trying to find unhealthy systems and sort them by "problem". That part works right now, but now I want to show the percentages of the problems.

index=Linux HCS "NOT OK" | table HCS host | search host="" | stats count by HCS

How should I go about summing everything up and getting all percetages based on different problems?
In the course they use top [field] limit=10 to view percentages, but in this case, that's not working.

Can someone help me out a bit?

Thanks!

0 Karma
1 Solution

KailA
Contributor

Hello,

I think your problem is that you're doing the stats before doing the top.
Try it like that

index=Linux HCS "NOT OK" 
| table HCS host 
| search host="o*" host!="osas*"
| top HCS limit=10

You will have the top 10 of the HCS with the count and the percentage 🙂

Let me know if it works !

View solution in original post

KailA
Contributor

Hello,

I think your problem is that you're doing the stats before doing the top.
Try it like that

index=Linux HCS "NOT OK" 
| table HCS host 
| search host="o*" host!="osas*"
| top HCS limit=10

You will have the top 10 of the HCS with the count and the percentage 🙂

Let me know if it works !

View solution in original post

jonydupre
Path Finder

Thanks, that works perfectly. Could you maybe eleborate why stats should not be before top?
I'm trying to learn as much as possible so I would appreciate that a lot!

Also, is there a way to be more interactive with the community for small questions like this? Something like a chatroom or something?

Thanks!

0 Karma

KailA
Contributor

Because for this case stats count and top are doing the same thing, so you have to use only one of them.
The difference is that top is only doing a count and the give the percentage but stats can do a count, sum, average, first or last value... (look at this documentation : https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Stats#Stats_function_options)

And for your second question, we have a Slack and you can join us : splk.it/slack

0 Karma

jonydupre
Path Finder

Thanks a lot! Really helpfull

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!