Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to display percentage of total
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BertKraan
Engager
01-29-2014
04:22 AM
I count all my httpstatus'ses and get a neat result using:
index=prd_access sourcetype="access:web:iis:project" | chart count by httpstatus | addcoltotals count
Using addcoltotals I even have the grand total of all httpstatus'ses.
Now what I would like to do is displaying the http code followed by percentage of the total, something along the lines of:
200 95,9 %
304 3,1 %
404 0,1 %
et cetera
I'm sure this has been done before but can someone point me in the right direction?
Thanks in advance,
Bert
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
01-29-2014
04:48 AM
Using eventstats might be better:
index=prd_access sourcetype="access:web:iis:project" | eventstats count as totalcount | chart count,first(totalcount) as totalcount by httpstatus | eval percentage=count/totalcount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
01-29-2014
04:48 AM
Using eventstats might be better:
index=prd_access sourcetype="access:web:iis:project" | eventstats count as totalcount | chart count,first(totalcount) as totalcount by httpstatus | eval percentage=count/totalcount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BertKraan
Engager
01-29-2014
05:12 AM
Great! Thanks for your answer!
(Is there anything like a structured tutorial into the Splunk search/query language?) I didn't hear of eventstats before, but It solves my problem.
Thanks again!
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
