Splunk Search

contingency command and percent

gnovak
Builder

I have a search where I am trying to take the totals and turn them into a percentage.

sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT 
| rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$" 
| rex field=source "^/opt/log/(?<registry>[^/]+)/web_server/.*$"
| search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf 
| eval Actual=case(filename=="Statement.pdf","Billing Statement",filename=="Invoice.pdf","Billing Invoice", filename=="text.txt","Billing Text",match(filename,".*-.*\.pdf$"),"Scorecard",match(filename,".*-.*_invoice\.html$"),"Drilldown Invoice") 
| contingency registrar Actual

I've looked at other commands such as eventtable, stats and even top but I can't seem to get the values to show a percentage instead of a count.

Can you make the numbers from contingency into percent? Is that possible using this command? It seems every time I try to pipe my results to something else the "Actual" field doesn't work and the percentage doesn't show up...

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Have you instead of contingency tried to use;

... | top Actual by registrar

with the optional removal of the count field

... | top Actual by registrar | fields - count

It sounds like to me that this is what you are trying to achieve

Hope this helps,

Kristian

0 Karma

gnovak
Builder

this is actually working. there's so many different options

0 Karma

gnovak
Builder

| top registry registrar Actual limit=0

0 Karma

kristian_kolb
Ultra Champion

Well, if you want to you could always post a few sample lines of log (with IPs/usernames/passwords masked) along with a table describing the desired output.

That will enable the community to help you further along.

Otherwise, best of luck.

/k

0 Karma

gnovak
Builder

I've changed to using stats and I'm going to see if I can get percent this way.

0 Karma

gnovak
Builder

I'm starting to think Stats might be a better command to use at this point

0 Karma

gnovak
Builder

I like the way contingency breaks it down...but I need to have a percentage instead of just a count. So far every command I used I haven't been successful to keep the same format of all the file names listed at the top, registrars on the left, and then the values of how many times each registrar accessed the file.

0 Karma

gnovak
Builder

It's strange but it does not break it down the way I want unless I use contingency. Contingency takes all the values of Actual and lists how many times they were accessed. They are basically filenames. It does a great job of doing this. However if I use a different command the format isn't the same at all.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...