Re: how to use table with percentage?

pacifikn · ‎12-10-2020

Hi ALL!!

Help me on how I can use the table function in query with percent

|table field-1, field-2, field-3 |stats count by field-1, field-2, field-3

| eval percentage=round(count/total*100,2)."%" |fields - total

This is the query I used but there's no percentage columns appeared, what query can I use to displ

Kindly help me out????

here's the column i want to have:

host signature action count percentage

I need your help?

- Other Question , what makes the query to take long time loading or more time to display after pressing search button?

Thanking you in advance.

bowesmana · ‎12-10-2020

Slow queries are generally due to

too much data
poor hardware
too long a time search window
badly written queries

In your query, you are searching all indexes - what is your time range and how much data are you dealing with.

bowesmana · ‎12-10-2020

You do not need to use table if you are following this with an aggregation, like stats.

You don't have a total calculated anywhere, so cannot do the eval you are trying to do

index=* action=*  
| stats count by  host, signature, action
| eventstats sum(count) as total
| eval percentage=round(count/total*100,2)."%" 
| fields - total

The eventstats will then sum all the counts to get the total and you can then do your percentage calculation afterwards

how to use table with percentage?

count

eval

table

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?