Splunk Search

how to calculate percentage

Laya123
Communicator

Hi,

Can anyone help how to calculate percentage for the report below for '%Act_fail_G_Total'

host Act-Sucess Act-Fail Pub-Sucess Laun-Sucess Total %Act-fai_Total %Act_fail_G_Total
A 1 1 1 1 4 25 50
B 2 0 3 2 7 0 0
C 1 1 2 4 8 12.5 50

D 3 0 1 1 5 0 0
G_Total 7 2 7 8 24 8.3 100

Using the search below, I am able to get the report till %Act-fai_GTotal, but I am unable to get the %Act_fail_Total

Search:

|inputlookup _AAD.csv |where Status="Act" OR Status="Pub" OR Status="Laun" OR Status="Fail"|eval app_status = AAtype . ":" . Status | chart count over host by app_status usenull=f| addtotals | addcoltotals labelfield=host label=G_Total|foreach *Activate:Failed [eval  failed_by_total_Publish = '<<FIELD>>' * 100 / Total]

Can anyone help me to do this?

Thanks in advance

Tags (1)
0 Karma
1 Solution

tom_frotscher
Builder

Hi,

i think you want something like this:

| stats count by host "Act type" STATUS | eval new_field = 'Act type'." ".'STATUS' | chart max(count) by host new_field | fillnull | addtotals | eval perc_failed = 'Activate Failed' / Total  * 100

Here is a run every example, just copy and past it in your search bar:

| stats count | eval host="A" | eval "Act type"="Activate" | eval STATUS="Failed" | append[| stats count | eval host="B" | eval "Act type"="Publish" | eval STATUS="Success"] | append[| stats count | eval host="A" | eval "Act type"="Activate" | eval STATUS="Failed"] | append[| stats count | eval host="C" | eval "Act type"="Activate" | eval STATUS="Failed"] | append[| stats count | eval host="B" | eval "Act type"="Activate" | eval STATUS="Success"] | append[| stats count | eval host="A" | eval "Act type"="Activate" | eval STATUS="Success"] | append[| stats count | eval host="C" | eval "Act type"="Launch" | eval STATUS="Success"] | append[| stats count | eval host="B" | eval "Act type"="Activate" | eval STATUS="Success"] | table host "Act type" STATUS | stats count by host "Act type" STATUS | eval new_field = 'Act type'." ".'STATUS' | chart max(count) by host new_field | fillnull | addtotals | eval perc_failed = 'Activate Failed' / Total  * 100

View solution in original post

tom_frotscher
Builder

Hi,

i think you want something like this:

| stats count by host "Act type" STATUS | eval new_field = 'Act type'." ".'STATUS' | chart max(count) by host new_field | fillnull | addtotals | eval perc_failed = 'Activate Failed' / Total  * 100

Here is a run every example, just copy and past it in your search bar:

| stats count | eval host="A" | eval "Act type"="Activate" | eval STATUS="Failed" | append[| stats count | eval host="B" | eval "Act type"="Publish" | eval STATUS="Success"] | append[| stats count | eval host="A" | eval "Act type"="Activate" | eval STATUS="Failed"] | append[| stats count | eval host="C" | eval "Act type"="Activate" | eval STATUS="Failed"] | append[| stats count | eval host="B" | eval "Act type"="Activate" | eval STATUS="Success"] | append[| stats count | eval host="A" | eval "Act type"="Activate" | eval STATUS="Success"] | append[| stats count | eval host="C" | eval "Act type"="Launch" | eval STATUS="Success"] | append[| stats count | eval host="B" | eval "Act type"="Activate" | eval STATUS="Success"] | table host "Act type" STATUS | stats count by host "Act type" STATUS | eval new_field = 'Act type'." ".'STATUS' | chart max(count) by host new_field | fillnull | addtotals | eval perc_failed = 'Activate Failed' / Total  * 100

Laya123
Communicator

Hi,

Thanks for your response. That I got it with my query; but I want to add one more column with %Failed_Active. I want to take the percentage with same column

example: if Activate Failed having the values like ('------' given for separating the fields)

host -------- Activate Failed ------ % Failed_Active
A ------------- 2 --------------------------- 33.3 (formula to get this percent is 2/6*100)
B ------------- 3 ---------------------------50.0 (formula to get this percent is 3/6*100)
C ------------- 1 ---------------------------16.7 (formula to get this percent is 1/6*100)
D ------------- 0 --------------------------- 0.0 ( formula to get this percent is 0/6*100)
Total ------------- 6 ----------------------------100 (formula to get this percent is 6/6*100)

There is other columns also with this report, but I am getting all those but I am unable to calculate this percentage.

Thank you

0 Karma

tom_frotscher
Builder

Hi,

use eventstats to add the total number of "Activate Failed" to every event:

| stats count | eval host="A" | eval "Act type"="Activate" | eval STATUS="Failed" | append[| stats count | eval host="B" | eval "Act type"="Publish" | eval STATUS="Success"] | append[| stats count | eval host="A" | eval "Act type"="Activate" | eval STATUS="Failed"] | append[| stats count | eval host="C" | eval "Act type"="Activate" | eval STATUS="Failed"] | append[| stats count | eval host="B" | eval "Act type"="Activate" | eval STATUS="Success"] | append[| stats count | eval host="A" | eval "Act type"="Activate" | eval STATUS="Success"] | append[| stats count | eval host="C" | eval "Act type"="Launch" | eval STATUS="Success"] | append[| stats count | eval host="B" | eval "Act type"="Activate" | eval STATUS="Success"] | table host "Act type" STATUS | stats count by host "Act type" STATUS | eval new_field = 'Act type'." ".'STATUS' | chart max(count) by host new_field | fillnull | addtotals | eval perc_failed = 'Activate Failed' / Total  * 100 | eventstats sum("Activate Failed") as sum_failed | eval "% Failed Active" = 'Activate Failed' / 'sum_failed' * 100 | fields - sum_failed | addcoltotals labelfield=host label="Total" "Activate Failed" "% Failed Active"

Laya123
Communicator

Thank you so much; its working

0 Karma

somesoni2
Revered Legend

What should be the formula/value for %Act_fail_G_Total', based on your sample data??

0 Karma

woodcock
Esteemed Legend

I do not think anyone will make an effort to try to answer this question until you give us some sample raw data.

0 Karma

Laya123
Communicator

Sorry for the inconvenience

here is the raw data

host Act type STATUS
A Activate Failed
B Publish Success
A Activate Failed
C Activate Failed
B Activate Success
A Activate Success
C Launch Success
B Activate Success

I want my report like

host Activate Publish Launch Grand % of Activate failed % of Activate failed
Success Failed Success Failed Success Failed Total upon GrandTotal upon Total
A 1 2 0 0 0 0 3 66.7 66.7
B 2 0 1 0 0 0 3 0 0.0
C 0 1 0 0 1 0 2 50 33.3
Total 3 3 1 0 1 0 8 37.5 100

Using the search below, I am able to get the report till '% of Activate failed upon GrandTotal', but I am unable to get the % of Activate failed upon Total

Query:

|inputlookup _AAD.csv |where Status="Act" OR Status="Pub" OR Status="Laun" OR Status="Fail"|eval app_status = AAtype . ":" . Status | chart count over host by app_status usenull=f| addtotals | addcoltotals labelfield=host label=G_Total|foreach *Activate:Failed [eval failed_by_total_Publish = '<>' * 100 / Total]

Hope now i have given proper information

Thanks in advance

0 Karma

woodcock
Esteemed Legend

It is closer but I have more questions than ever:

  • I do not see a field AAtype in your raw data.
  • I have no idea how to read the header-line (field-names) of your desired report (I think because some/all of the names have newlines in them).
0 Karma

Laya123
Communicator

Thank you so much for your response.

AA type is Acttype in my raw data

I want my report like

Host Activate_Success Activate_Failed Publish_Success Publish_Failed Total '%failed'
A 3 2 1 0 6

B 0 1 1 0 2
C 2 0 2 1 5

Total 5 3 4 5 13
I want to calculate *%failed from 'Activate_failed' Host wise from the above example total Activate_Failed cases are 3 and i want percentage of each Host like A-66.6% and For B-33.3% and for C-0.0% Total-100%

I hope this make sense

Thanks in advance

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...