Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- extract percentage of code by servername
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
i have two field "servername" "code". i need to extract percent of code by servers.
index="my-index" | table servername code
expected output:
servername code percent count
server1 404 50% 50
500 40% 40
401 10% 10
server2 404 55% 55
500 30% 30
401 15% 15
any idea?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after several try finally find solution, here is the solution:
index="my-index" err* |
| fields code, servername
| stats count(code) as totalCount by servername, code
| eventstats sum(totalCount) as _total
| eventstats sum(totalCount) as _totalPerServer by servername
| eval percentageTotal=round((totalCount/_total)*100,2)
| eval precentagePerServer=round((totalCount/_totalPerServer)*100,2)
| stats list(code) as code list(precentagePerServer) as percentageTotal list(totalCount) by servername
| sort - totalCount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@indeed_2000It looks like the solution you posted and accepted uses the code from the page I linked to. Glad it helped you. It looks like you've found that lines of SPL code may be useful for multiple use cases.
If the pointer I provided was helpful, a karma thumbs up is appreciated.
Happy Splunking!
If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after several try finally find solution, here is the solution:
index="my-index" err* |
| fields code, servername
| stats count(code) as totalCount by servername, code
| eventstats sum(totalCount) as _total
| eventstats sum(totalCount) as _totalPerServer by servername
| eval percentageTotal=round((totalCount/_total)*100,2)
| eval precentagePerServer=round((totalCount/_totalPerServer)*100,2)
| stats list(code) as code list(precentagePerServer) as percentageTotal list(totalCount) by servername
| sort - totalCount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @indeed_2000 ! It's often a good idea to search the community for answers before asking the question. In this case, I found exactly an answer in only one search:
If this resolves your problem, please accept this answer.
If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the question that you mention is different that with my question.
any idea?
thanks
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
