Splunk Search

calculate percentage in a chart over day

Souradip11
Engager

Hi,

I am using a search

Mysearch

|eval Guest=if(sid=22,BOT,Others)
| convert timeformat="%Y-%m-%d" ctime(_time) AS date
|chart count over Guest by date

And the results is like below.


Guest                                               2024-12-18                                       2024-12-19

BOT                                                            10                                                            20

Others                                                       90                                                            80

Now I want to display the percentage of activity by Guest over date

Maybe something like below

Guest                                                       2024-12-18                                                  2024-12-19

BOT                                                            10 (10%)                                                           200(20%)

Others                                                       90   (90%)                                                         800(80%)

Could someone possible help here?

Many thanks 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

emlin_charly
Explorer

Hello hello!

There may be a simpler way to get this working, but my first thought is to use something like this:

 

 

Mysearch
| eval Guest=if(sid=22, "BOT", "Others") 
| convert timeformat="%Y-%m-%d" ctime(_time) AS date 
| stats count by date, Guest
| eventstats sum(count) as total by date
| eval percentage=round((count/total)*100, 0)
| eval count=count." (".percentage."%)"
| xyseries Guest date count

 

 

Edit: Yep, here is a version that's a little shorter:

 

Mysearch
| eval Guest=if(sid=22, "BOT", "Others") 
| bin _time span=1d
| stats count by _time Guest
| eval
    total=count,
    percentage=round((count/total)*100, 0),
    count=count." (".percentage."%)"
| xyseries Guest _time count

 

View solution in original post

emlin_charly
Explorer

Hello hello!

There may be a simpler way to get this working, but my first thought is to use something like this:

 

 

Mysearch
| eval Guest=if(sid=22, "BOT", "Others") 
| convert timeformat="%Y-%m-%d" ctime(_time) AS date 
| stats count by date, Guest
| eventstats sum(count) as total by date
| eval percentage=round((count/total)*100, 0)
| eval count=count." (".percentage."%)"
| xyseries Guest date count

 

 

Edit: Yep, here is a version that's a little shorter:

 

Mysearch
| eval Guest=if(sid=22, "BOT", "Others") 
| bin _time span=1d
| stats count by _time Guest
| eval
    total=count,
    percentage=round((count/total)*100, 0),
    count=count." (".percentage."%)"
| xyseries Guest _time count

 

Souradip11
Engager

Hi @emlin_charly 

First one worked.

Thanks

0 Karma

emlin_charly
Explorer

Awesome!

0 Karma

PaulPanther
Motivator

Please try:

index=<yourindex> sid=*
|eval Guest=if(sid=22,BOT,Others)
| bin _time span=1d
| eventstats count as totalevents by _time
| eventstats count as guest_count by Guest
| eval percentage=round((guest_count/totalevents)*100,2)
| eval final_field = guest_count. "(" .percentage. " %)"
| eval time=strftime(_time, "%Y-%m-%d")
| chart values(final_field) over Guest by time

 

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...