Splunk Search

calculate percentage

dhs_harry08
Path Finder

Hi,

I have a requirement wherein I am using bucket to calculate range and their values.

host="hobbes8" |search success OR fail|eventstats count(txnId) as gtotal |bucket api_time bins=100|eventstats count(txnId) as total by api_time|eval percent=100*total/gtotal |table api_time,percent,total.

I am getting my result but im getting many dupliicate entries. An when I am using stats I am getting the error. api_time should be numerical. Can you help me with this.
I need the result like this.

api_time    percent        total

1 1500-1600 0.277316 10
2 400-500 6.211869 224
3 800-900 2.329451 84
4 300-400 6.267332 226

Regards,
Harish

Tags (3)
0 Karma
1 Solution

acdevlin
Communicator

Stats does have the ability to print non-numerical values; I'm not sure why it would complain about them, unless there was a syntax error somewhere in your query . Try the following instead of the pipe to "table" to display your results:

... | stats values(percent) AS "Percent", values(total) AS "Total" by api_time

If you still get duplicate values, you might want to look into the "dedup" command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup

View solution in original post

dhs_harry08
Path Finder

Thankq that helped and worked.

Regards,
Harish

0 Karma

acdevlin
Communicator

Stats does have the ability to print non-numerical values; I'm not sure why it would complain about them, unless there was a syntax error somewhere in your query . Try the following instead of the pipe to "table" to display your results:

... | stats values(percent) AS "Percent", values(total) AS "Total" by api_time

If you still get duplicate values, you might want to look into the "dedup" command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup

dhs_harry08
Path Finder

api_time percent total

1500-1600 0.277316 10

400-500 6.211869 224

800-900 2.329451 84

300-400 6.267332 226

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...