Splunk Search

how to display percentage of total

BertKraan
Engager

I count all my httpstatus'ses and get a neat result using:

index=prd_access sourcetype="access:web:iis:project" | chart count by httpstatus | addcoltotals count

Using addcoltotals I even have the grand total of all httpstatus'ses.

Now what I would like to do is displaying the http code followed by percentage of the total, something along the lines of:

200 95,9 %

304 3,1 %

404 0,1 %

et cetera

I'm sure this has been done before but can someone point me in the right direction?

Thanks in advance,

Bert

Tags (1)
0 Karma
1 Solution

Ayn
Legend

Using eventstats might be better:

index=prd_access sourcetype="access:web:iis:project" | eventstats count as totalcount | chart count,first(totalcount) as totalcount by httpstatus | eval percentage=count/totalcount

View solution in original post

Ayn
Legend

Using eventstats might be better:

index=prd_access sourcetype="access:web:iis:project" | eventstats count as totalcount | chart count,first(totalcount) as totalcount by httpstatus | eval percentage=count/totalcount

BertKraan
Engager

Great! Thanks for your answer!

(Is there anything like a structured tutorial into the Splunk search/query language?) I didn't hear of eventstats before, but It solves my problem.

Thanks again!

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...