Splunk Search

## addcoltotals : do not sum percentages

Builder

Hello,

I'd like to do the following (screenshot at http://hpics.li/49c6c08), do not sum percentages but just following a calculation rule.

Screenshot

Tags (4)
1 Solution
Builder

Solved, thanks guy.

final search :

| multisearch [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat = 0 | rename NB_Resultat as SZERO ] [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat > 0 | rename NB_Resultat as AZERO ] | stats count(AZERO) as totalsearch, count(SZERO) as totalfailed by Resultat | eval wresult=round(totalfailed/(totalfailed+totalsearch)*100,0) | eval ctotal=totalfailed+totalsearch | eventstats sum(ctotal) as sum_ctotal | eval Un=round(ctotal/sum_ctotal*100,0) | eval Recherches=case(Resultat="null","Cadas (U".Un."%)",Resultat="EXACT","Exact (U".Un."%)",Resultat="APPROXIMATIF","Approximatif (U".Un."%)") | table Recherches,totalsearch,totalfailed, ctotal, wresult | eval zresult=tostring(wresult) + "%" | addcoltotals labelfield=Recherches label=TOTAL | rename totalsearch as "Rรฉsultats trouvรฉs", totalfailed as "Rien", zresult as "Recherches sans rรฉsultat", ctotal as TOTAL | fields - wresult | eval "Recherches sans rรฉsultat"=if(like(Recherches,"TOTAL"),round((Rien/TOTAL),2)*100,round(Rien/TOTAL*100,0))

Builder

Solved, thanks guy.

final search :

| multisearch [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat = 0 | rename NB_Resultat as SZERO ] [ search index="xxx" sourcetype="xxx_Recherche" | where NB_Resultat > 0 | rename NB_Resultat as AZERO ] | stats count(AZERO) as totalsearch, count(SZERO) as totalfailed by Resultat | eval wresult=round(totalfailed/(totalfailed+totalsearch)*100,0) | eval ctotal=totalfailed+totalsearch | eventstats sum(ctotal) as sum_ctotal | eval Un=round(ctotal/sum_ctotal*100,0) | eval Recherches=case(Resultat="null","Cadas (U".Un."%)",Resultat="EXACT","Exact (U".Un."%)",Resultat="APPROXIMATIF","Approximatif (U".Un."%)") | table Recherches,totalsearch,totalfailed, ctotal, wresult | eval zresult=tostring(wresult) + "%" | addcoltotals labelfield=Recherches label=TOTAL | rename totalsearch as "Rรฉsultats trouvรฉs", totalfailed as "Rien", zresult as "Recherches sans rรฉsultat", ctotal as TOTAL | fields - wresult | eval "Recherches sans rรฉsultat"=if(like(Recherches,"TOTAL"),round((Rien/TOTAL),2)*100,round(Rien/TOTAL*100,0))

Esteemed Legend

OK, now click `Accept` for the answer that you like best to close the question.

Builder

Ok thanks again ๐

Esteemed Legend

Like this (once you fix the umlauts):

``````... | eval \$Recherches sans rsultat\$ = if(like(Recherches, "TOTAL"), round((Rien/TOTAL), 2), "Recherches sans rsultat")
``````
Legend

Try this

``````... | eval "Recherches  sans rsultat" = if(Recherches="TOTAL", round(Rien/TOTAL, 2), "Recherches  sans rsultat")
``````