Splunk Search

how to display percentage of total

BertKraan
Engager

I count all my httpstatus'ses and get a neat result using:

index=prd_access sourcetype="access:web:iis:project" | chart count by httpstatus | addcoltotals count

Using addcoltotals I even have the grand total of all httpstatus'ses.

Now what I would like to do is displaying the http code followed by percentage of the total, something along the lines of:

200 95,9 %

304 3,1 %

404 0,1 %

et cetera

I'm sure this has been done before but can someone point me in the right direction?

Thanks in advance,

Bert

Tags (1)
0 Karma
1 Solution

Ayn
Legend

Using eventstats might be better:

index=prd_access sourcetype="access:web:iis:project" | eventstats count as totalcount | chart count,first(totalcount) as totalcount by httpstatus | eval percentage=count/totalcount

View solution in original post

Ayn
Legend

Using eventstats might be better:

index=prd_access sourcetype="access:web:iis:project" | eventstats count as totalcount | chart count,first(totalcount) as totalcount by httpstatus | eval percentage=count/totalcount

BertKraan
Engager

Great! Thanks for your answer!

(Is there anything like a structured tutorial into the Splunk search/query language?) I didn't hear of eventstats before, but It solves my problem.

Thanks again!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...