Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

calculate Field count and pass it for percent calculation

k_harini
Communicator
‎10-13-2016 02:49 AM

Hi,
I'm a newbie to splunk. Struggling with a query. All i want to do now is pass the total value so that i can calculate the %. One part of query is done. Other part I'm facing issue - to pass total value
Tried this
1. index="my_index" | eval reformat_time= strftime(strptime('Due Date',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|where (reformat_time >= now_time) AND ('Status'!="Oxxx") |stats count as Missed_count count(eval(index=” my_index”) as Total|table Missed_count Total .. I'm not able to get total and hence could not calculate completed %. I got missed count. Im looking for total count to calculate %.
2. Tried with eventstats too
index="charm_normal_index"|eventstats count as Total_events|eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|where (reformat_time >= now_time) AND ('System Status'!="Completed") |stats count as Missed_count| table Missed_count Total_events

No luck. Please help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-13-2016 04:47 AM

There are a couple of ways you can do this.. You almost has both of them.. Try one of these

Using eventstats

index="charm_normal_index"|eventstats count as Total_events | where (reformat_time >= now_time) AND ('System Status'!="Completed") | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Missed_count values(Total_events) as Total_events

Using stats

index="charm_normal_index"|eventstats count as Total_events | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Total_events count(eval((reformat_time >= now_time) AND ('System Status'!="Completed") )) as Missed_count

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-13-2016 04:47 AM

There are a couple of ways you can do this.. You almost has both of them.. Try one of these

Using eventstats

index="charm_normal_index"|eventstats count as Total_events | where (reformat_time >= now_time) AND ('System Status'!="Completed") | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Missed_count values(Total_events) as Total_events

Using stats

index="charm_normal_index"|eventstats count as Total_events | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Total_events count(eval((reformat_time >= now_time) AND ('System Status'!="Completed") )) as Missed_count
Reply
Solved! Jump to solution

k_harini
Communicator
‎10-13-2016 10:45 AM

Hi,

Using stats worked. 1st query did not work. There is another option with join. I did with that. Thanks a lot for your response

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...