Splunk Search

Why the top and appendcols giving different percentage results?

abhi04
Communicator

Hi,

Why the below two queries giving me different percentage values? I checked the total count and count for Action=Sell is same. Am I missing something here?

index=abc source=def
| top Action

 

This gives me 49.7 % for Action=Buy

================================================

index=abc source=def
| stats count as Total
| appendcols
[ search index=abc source=def
| search Action=Buy
| stats count as Buy]
| eval Percent_Buy=round((Buy/Total)*100,2)

 

This gives me 27.7 % for Action=Buy

Labels (1)
Tags (1)
0 Karma

abhi04
Communicator

So, top does not take NULL into account for total and percentage? IS there a way top can take NULL into consideration? @ITWhisperer 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could use fillnull to give the null fields a non-null value

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Just to _not_ get you into habit of writing bad searches. The one you wrote can be easily rewritten not to use appendcols and subsearch. For example - like this

index=abc source=def
| eval is_action_buy=if(Action="Buy",1,null())
| stats count AS Total count(is_action_buy) AS Buy
| eval buy_ratio=Buy/Total

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

top Action will only give you the percentage of the non-null values, whereas Total will include null values

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...