Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

get all fields

Shakira1
Explorer
‎10-17-2023 04:59 AM

HI

I need to get the count of all fields in some index and then calculate how many times in percentage it occurred out of all events.

 

hope its clear.

thank you!

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2023 06:13 AM

Use the fieldsummary command to get the field info then calculate the percentage from that info.  It's not clear which percentage is sought so modify the eventstats and eval commands below as necessary.

index=_internal
| fieldsummary
``` Get the total number of fields ```
| eventstats sum(count) as Total,sum(distinct_count) as TotalDistinct
``` Compute the percentages ```
| eval Pct=round(count*100/Total,2), DistPct=round(distinct_count*100/TotalDistinct,2)

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Shakira1
Explorer
‎10-17-2023 06:52 AM

I would like to get the percentage of some count field from the total count

for example: 

after using fieldsummary I got this: [{"value":"/System/Library/LaunchAgents/com.apple.mdworker.shared.plist","count":61372} under value key

and the total count events is1,039,803, so in a new field I want to get the calculate for how much in percentage the count (61372) is from the total (1,039,803), this result I want to get to all my fields. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2023 07:25 AM

Is this more like what you envision?

index=_internal
| fieldsummary
| eventstats sum(count) as Total
``` Get rid of fields we don't need ```
| fields - max mean min stdev is_exact
``` Convert the values array to a multi-value field ```
| eval mv_values=json_array_to_mv(values)
``` Put each value into a separate event ```
| mvexpand mv_values
``` Extract value and its count ```
| rex field=mv_values "value\\\":\\\"(?<value>[^\"]+)\\\",\\\"count\\\":(?<valueCount>\d+)"
| eval Pct=round(valueCount*100/Total,2)
| table field value valueCount Pct
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Shakira1
Explorer
‎10-18-2023 12:31 AM

its looking very good! thank you.

I just dont understand the calculate results. 

for example: in valueCount I have 294723 from the total which is 1360007 should be ≈ 21.67% but in Pct field value I have 0.33, Do you know why?

all my results in Pct are not correct. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-18-2023 08:05 AM

I don't get it, either.  When I plug your numbers into the query I get the expected 21.67.  Can you share a screenshot just so we're sure we're looking at the right numbers?

---
If this reply helps you, Karma would be appreciated.
Reply

Shakira1
Explorer
‎10-19-2023 12:29 AM

sure.

attached the valueCount and Pct.

also the number of events:  1,380,350 events

Tags (1)
Preview file
26 KB
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...