- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- top command (or count & percent of values) off sta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Splunk 5.0.8 SH right now, upgrade to 6 not until June.
I have a dashboard that currently executes 24 searches for a span of 24 hours. Goal: Run one search and post-process the dash panels as everything has one filter search and can be summarized into 7 different fields and value combos. That one search would be saved and accelerated and end in a stats command.
ISSUE: most of my panels are top commands. since I plan to both timechart and top the results, I would be bucketing _time. How can I use the top command to take into account the values from the count field? Example of issue: If I have one stats event with browser=IE and a count of 10 and another stats event with browser=Chrome with a count of 5, a | top browser will show me:
browser count percent
Chrome 1 50%
IE 1 50%
This is not what I need. I need both the sum of count for each value rather than the top command's count of the events. I also need the percent so just doing a sum(count) by browser | sort browser | head 10 doesn't do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I found my own answer after more Splunk Answers digging: Found here
Basically what I need is this added to get a "top-like result" for summarized data (either from a summary index or post processing from a stats commanded result:
| stats sum(count) as count by browser | eventstats sum(count) as Total | eval percent = round((count/Total)*100,2) . "%" | fields - Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am assuming after the stats command, the events are like below
brower count
IE xx
Chrome yy
......
Then you can do something like this after stats.
...your stats query...| eventstats sum(count) as Total | eval percent=round(count*100/Total,1)."%" | sort -count | streamstats count as sno | where sno < NoOfTopValuesYouWantToSee | fields - Total, sno
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I found my own answer after more Splunk Answers digging: Found here
Basically what I need is this added to get a "top-like result" for summarized data (either from a summary index or post processing from a stats commanded result:
| stats sum(count) as count by browser | eventstats sum(count) as Total | eval percent = round((count/Total)*100,2) . "%" | fields - Total
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
