using streamstats and stats together

elenzil · ‎02-03-2012

i'd like to produce a field per event that's the running sum of some field as a percentage of the total sum of that field over the whole search.

for example, if this were excel, my sheet would look something like this:

+-----------------------+---------------+-------------+
| original field values | running total | what i want |
+-----------------------+---------------+-------------+
|                     1 |             1 |         20% |
|                     1 |             2 |         40% |
|                     1 |             3 |         60% |
|                     1 |             4 |         80% |
|                     1 |             5 |        100% |
+-----------------------+---------------+-------------+

i see that streamstats or accum can generate my "running total" column,
but to get my "what i want" column, i need the output of stats c() or stats sum(),
which destroys the individual events.

i feel like it might be a job for a sub-search and appendcols, but i haven't been able to work it out.

thanks in advance,
orion

mzorzi · ‎01-11-2015

value sumvalue total percentage
1 1 5 20
1 2 5 40
1 3 5 60
1 4 5 80
1 5 5 100

using streamstats and stats together

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!