Solved: addcoltotals : do not sum percentages

splunkreal · ‎07-25-2016

Hello,

I'd like to do the following (screenshot at http://hpics.li/49c6c08), do not sum percentages but just following a calculation rule.

Thanks for your help.

Screenshot

* If this helps, please upvote or accept solution 🙂 *

splunkreal · ‎07-26-2016

Solved, thanks guy.

final search :

| multisearch [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat = 0 | rename NB_Resultat as SZERO ] [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat > 0 | rename NB_Resultat as AZERO ] | stats count(AZERO) as totalsearch, count(SZERO) as totalfailed by Resultat | eval wresult=round(totalfailed/(totalfailed+totalsearch)*100,0) | eval ctotal=totalfailed+totalsearch | eventstats sum(ctotal) as sum_ctotal | eval Un=round(ctotal/sum_ctotal*100,0) | eval Recherches=case(Resultat="null","Cadas (U".Un."%)",Resultat="EXACT","Exact (U".Un."%)",Resultat="APPROXIMATIF","Approximatif (U".Un."%)") | table Recherches,totalsearch,totalfailed, ctotal, wresult | eval zresult=tostring(wresult) + "%" | addcoltotals labelfield=Recherches label=TOTAL | rename totalsearch as "Résultats trouvés", totalfailed as "Rien", zresult as "Recherches sans résultat", ctotal as TOTAL | fields - wresult | eval "Recherches sans résultat"=if(like(Recherches,"TOTAL"),round((Rien/TOTAL),2)*100,round(Rien/TOTAL*100,0))

* If this helps, please upvote or accept solution 🙂 *

View solution in original post

splunkreal · ‎07-26-2016

Solved, thanks guy.

final search :

| multisearch [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat = 0 | rename NB_Resultat as SZERO ] [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat > 0 | rename NB_Resultat as AZERO ] | stats count(AZERO) as totalsearch, count(SZERO) as totalfailed by Resultat | eval wresult=round(totalfailed/(totalfailed+totalsearch)*100,0) | eval ctotal=totalfailed+totalsearch | eventstats sum(ctotal) as sum_ctotal | eval Un=round(ctotal/sum_ctotal*100,0) | eval Recherches=case(Resultat="null","Cadas (U".Un."%)",Resultat="EXACT","Exact (U".Un."%)",Resultat="APPROXIMATIF","Approximatif (U".Un."%)") | table Recherches,totalsearch,totalfailed, ctotal, wresult | eval zresult=tostring(wresult) + "%" | addcoltotals labelfield=Recherches label=TOTAL | rename totalsearch as "Résultats trouvés", totalfailed as "Rien", zresult as "Recherches sans résultat", ctotal as TOTAL | fields - wresult | eval "Recherches sans résultat"=if(like(Recherches,"TOTAL"),round((Rien/TOTAL),2)*100,round(Rien/TOTAL*100,0))

* If this helps, please upvote or accept solution 🙂 *

woodcock · ‎07-26-2016

OK, now click Accept for the answer that you like best to close the question.

splunkreal · ‎07-26-2016

Ok thanks again 🙂

* If this helps, please upvote or accept solution 🙂 *

woodcock · ‎07-25-2016

Like this (once you fix the umlauts):

... | eval $Recherches sans rsultat$ = if(like(Recherches, "TOTAL"), round((Rien/TOTAL), 2), "Recherches sans rsultat")

sundareshr · ‎07-25-2016

Try this

... | eval "Recherches  sans rsultat" = if(Recherches="TOTAL", round(Rien/TOTAL, 2), "Recherches  sans rsultat")

addcoltotals : do not sum percentages

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...