- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- addcoltotals : do not sum percentages
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'd like to do the following (screenshot at http://hpics.li/49c6c08), do not sum percentages but just following a calculation rule.
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved, thanks guy.
final search :
| multisearch [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat = 0 | rename NB_Resultat as SZERO ] [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat > 0 | rename NB_Resultat as AZERO ] | stats count(AZERO) as totalsearch, count(SZERO) as totalfailed by Resultat | eval wresult=round(totalfailed/(totalfailed+totalsearch)*100,0) | eval ctotal=totalfailed+totalsearch | eventstats sum(ctotal) as sum_ctotal | eval Un=round(ctotal/sum_ctotal*100,0) | eval Recherches=case(Resultat="null","Cadas (U".Un."%)",Resultat="EXACT","Exact (U".Un."%)",Resultat="APPROXIMATIF","Approximatif (U".Un."%)") | table Recherches,totalsearch,totalfailed, ctotal, wresult | eval zresult=tostring(wresult) + "%" | addcoltotals labelfield=Recherches label=TOTAL | rename totalsearch as "Résultats trouvés", totalfailed as "Rien", zresult as "Recherches sans résultat", ctotal as TOTAL | fields - wresult | eval "Recherches sans résultat"=if(like(Recherches,"TOTAL"),round((Rien/TOTAL),2)*100,round(Rien/TOTAL*100,0))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved, thanks guy.
final search :
| multisearch [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat = 0 | rename NB_Resultat as SZERO ] [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat > 0 | rename NB_Resultat as AZERO ] | stats count(AZERO) as totalsearch, count(SZERO) as totalfailed by Resultat | eval wresult=round(totalfailed/(totalfailed+totalsearch)*100,0) | eval ctotal=totalfailed+totalsearch | eventstats sum(ctotal) as sum_ctotal | eval Un=round(ctotal/sum_ctotal*100,0) | eval Recherches=case(Resultat="null","Cadas (U".Un."%)",Resultat="EXACT","Exact (U".Un."%)",Resultat="APPROXIMATIF","Approximatif (U".Un."%)") | table Recherches,totalsearch,totalfailed, ctotal, wresult | eval zresult=tostring(wresult) + "%" | addcoltotals labelfield=Recherches label=TOTAL | rename totalsearch as "Résultats trouvés", totalfailed as "Rien", zresult as "Recherches sans résultat", ctotal as TOTAL | fields - wresult | eval "Recherches sans résultat"=if(like(Recherches,"TOTAL"),round((Rien/TOTAL),2)*100,round(Rien/TOTAL*100,0))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, now click Accept for the answer that you like best to close the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thanks again 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this (once you fix the umlauts):
... | eval $Recherches sans rsultat$ = if(like(Recherches, "TOTAL"), round((Rien/TOTAL), 2), "Recherches sans rsultat")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
... | eval "Recherches sans rsultat" = if(Recherches="TOTAL", round(Rien/TOTAL, 2), "Recherches sans rsultat")
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
