Splunk Search

contingency command and percent

gnovak
Builder

I have a search where I am trying to take the totals and turn them into a percentage.

sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT 
| rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$" 
| rex field=source "^/opt/log/(?<registry>[^/]+)/web_server/.*$"
| search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf 
| eval Actual=case(filename=="Statement.pdf","Billing Statement",filename=="Invoice.pdf","Billing Invoice", filename=="text.txt","Billing Text",match(filename,".*-.*\.pdf$"),"Scorecard",match(filename,".*-.*_invoice\.html$"),"Drilldown Invoice") 
| contingency registrar Actual

I've looked at other commands such as eventtable, stats and even top but I can't seem to get the values to show a percentage instead of a count.

Can you make the numbers from contingency into percent? Is that possible using this command? It seems every time I try to pipe my results to something else the "Actual" field doesn't work and the percentage doesn't show up...

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Have you instead of contingency tried to use;

... | top Actual by registrar

with the optional removal of the count field

... | top Actual by registrar | fields - count

It sounds like to me that this is what you are trying to achieve

Hope this helps,

Kristian

0 Karma

gnovak
Builder

this is actually working. there's so many different options

0 Karma

gnovak
Builder

| top registry registrar Actual limit=0

0 Karma

kristian_kolb
Ultra Champion

Well, if you want to you could always post a few sample lines of log (with IPs/usernames/passwords masked) along with a table describing the desired output.

That will enable the community to help you further along.

Otherwise, best of luck.

/k

0 Karma

gnovak
Builder

I've changed to using stats and I'm going to see if I can get percent this way.

0 Karma

gnovak
Builder

I'm starting to think Stats might be a better command to use at this point

0 Karma

gnovak
Builder

I like the way contingency breaks it down...but I need to have a percentage instead of just a count. So far every command I used I haven't been successful to keep the same format of all the file names listed at the top, registrars on the left, and then the values of how many times each registrar accessed the file.

0 Karma

gnovak
Builder

It's strange but it does not break it down the way I want unless I use contingency. Contingency takes all the values of Actual and lists how many times they were accessed. They are basically filenames. It does a great job of doing this. However if I use a different command the format isn't the same at all.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...