Splunk Search

get percentage of specific field over volume

New Member

I have two query

1: sourcetype=A error=499
2: sourcetype=B X=*

I would like to make timechart of % of A on B.

Basically I want to make timechart that will tell if error code increase is because of volume decrease etc,

0 Karma

Ultra Champion
( sourcetype=A error=499) OR (sourcetype=B X=*)
| timechart count by sourcetype
| eval perc= round(A / B * 100,2)
| fillnull
0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...