- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- calculate percentage from the results of two repor...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having a difficult time calculating a percentage based on two reports (searches).
Search 1
| inputlookup mydata.csv
| where category= "category" AND assignment_group="myteam" AND yyyy_mm="$Datedropdown$"
| stats count as myteamstotal
Search 2
| inputlookup mydata.csv
| where category= "category" AND yyyy_mm="$Datedropdown$"
| stats count as total
I'd like to calculate a percentage
| eval percent=(myteamstotal/total)*100
I tried this and got 0 as a result:
| inputlookup GCC-SNOW_01012018_12312018.csv
| where category= "category" AND assignment_group="myteam" AND yyyy_mm="$Datedropdown$"
| stats count as myteamstotal
| where category= "category" AND yyyy_mm="$Datedropdown$"
| stats count as total
| eval percent=(myteamstotal/total)*100
How can I calculate the percentage?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maybe try | appendcols
something like this:
| inputlookup mydata.csv
| where category= "category" AND assignment_group="myteam" AND yyyy_mm="$Datedropdown$"
| stats count as myteamstotal
| appendcols [ | inputlookup mydata.csv
| where category= "category" AND yyyy_mm="$Datedropdown$"
| stats count as total
| eval percent=(myteamstotal/total)*100
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maybe try | appendcols
something like this:
| inputlookup mydata.csv
| where category= "category" AND assignment_group="myteam" AND yyyy_mm="$Datedropdown$"
| stats count as myteamstotal
| appendcols [ | inputlookup mydata.csv
| where category= "category" AND yyyy_mm="$Datedropdown$"
| stats count as total
| eval percent=(myteamstotal/total)*100
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Adonio!
I just needed to close the brackets in the appendcols. Final query was:
| inputlookup mydata.csv
| where category= "category" AND assignment_group="myteam" AND yyyy_mm="$Datedropdown$"
| stats count as myteamstotal
| appendcols [ inputlookup mydata.csv
| where category= "category" AND yyyy_mm="$Datedropdown$"
| stats count as total]
| eval percent=(myteamstotal/total)*100
| fields percent
As an intermediate step to check any issues, you can view fields percent, myteamstotal, total as a table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this!
| inputlookup mydata.csv
| where category= "category" AND yyyy_mm="$Datedropdown$"
| stats count(eval(assignment_group="myteam")) as myteamstotal,count as total
| eval percent=(myteamstotal/total)*100
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
