Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- calculate percentage in a chart over day
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am using a search
Mysearch
|eval Guest=if(sid=22,BOT,Others)
| convert timeformat="%Y-%m-%d" ctime(_time) AS date
|chart count over Guest by dateAnd the results is like below.
Guest 2024-12-18 2024-12-19
BOT 10 20
Others 90 80
Now I want to display the percentage of activity by Guest over date
Maybe something like below
Guest 2024-12-18 2024-12-19
BOT 10 (10%) 200(20%)
Others 90 (90%) 800(80%)
Could someone possible help here?
Many thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello hello!
There may be a simpler way to get this working, but my first thought is to use something like this:
Mysearch
| eval Guest=if(sid=22, "BOT", "Others")
| convert timeformat="%Y-%m-%d" ctime(_time) AS date
| stats count by date, Guest
| eventstats sum(count) as total by date
| eval percentage=round((count/total)*100, 0)
| eval count=count." (".percentage."%)"
| xyseries Guest date count
Edit: Yep, here is a version that's a little shorter:
Mysearch
| eval Guest=if(sid=22, "BOT", "Others")
| bin _time span=1d
| stats count by _time Guest
| eval
total=count,
percentage=round((count/total)*100, 0),
count=count." (".percentage."%)"
| xyseries Guest _time count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello hello!
There may be a simpler way to get this working, but my first thought is to use something like this:
Mysearch
| eval Guest=if(sid=22, "BOT", "Others")
| convert timeformat="%Y-%m-%d" ctime(_time) AS date
| stats count by date, Guest
| eventstats sum(count) as total by date
| eval percentage=round((count/total)*100, 0)
| eval count=count." (".percentage."%)"
| xyseries Guest date count
Edit: Yep, here is a version that's a little shorter:
Mysearch
| eval Guest=if(sid=22, "BOT", "Others")
| bin _time span=1d
| stats count by _time Guest
| eval
total=count,
percentage=round((count/total)*100, 0),
count=count." (".percentage."%)"
| xyseries Guest _time count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try:
index=<yourindex> sid=*
|eval Guest=if(sid=22,BOT,Others)
| bin _time span=1d
| eventstats count as totalevents by _time
| eventstats count as guest_count by Guest
| eval percentage=round((guest_count/totalevents)*100,2)
| eval final_field = guest_count. "(" .percentage. " %)"
| eval time=strftime(_time, "%Y-%m-%d")
| chart values(final_field) over Guest by time
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
