Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Counting results with versus without a term and graphing number as percentage for each day

gbolcer
Explorer
‎01-21-2011 08:36 PM

I have 2,894 events when I do a search for everything in my index.

When a do a search for a subset of things with an added search term, I get 49.

So for that time period of everything, I want to be able to show a 1.6% out of 100% graph.

Further, I want for each day (24 hour period) to calculate the number of times a term shows up in events divided by the total events to show up as a daily 0-100% graph.

Ideas?

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-21-2011 10:17 PM

The most efficient way for a whole index would be:

mysearchterm 
| stats count 
| eval [ eventcount | rename count as totalcount | format "" "" "" "" "" "" ] 
| eval pct=100*(count/totalcount)

But this is hacky and skeevy and not generalizable to get daily counts and percentages

More generally, the best way to get your would be to do:

* | timechart span=1d 
    count as totalcount
    count(eval(searchmatch("mysearchterm"))) as count 
  | eval pct=100*(count/totalcount)

Of course, you could modify your the part in the eval(...) and use a different function if that's more suitable: http://www.splunk.com/base/Documentation/4.1.12/SearchReference/CommonEvalFunctions

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-21-2011 10:22 PM

Additionally, if you're doing this frequently, you should considering building and storing a summary index of the daily event counts rather than having to retrieve and count every event each time your run the query.

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎01-21-2011 08:48 PM

I wouldn't think that this would scale particularly well, since you're going to be running a global search, and if you get to tens or hundreds of thousands of events, it'll get very slow. But for small numbers you could use:

search | stats count as TotalCount | appendcols [search foo | stats count as SubsetCount] | eval Perc = round((SubsetCount/TotalCount)*100,2) | fields Perc

For the daily graph, you could put the above in a summary index and then just query that. If you wanted to do it on the fly, you could go for:

search | timechart count as TotalCount span=1d | join _time [search foo | timechart count as SubsetCount span=1d] | eval Perc = round((SubsetCount/TotalCount)*100,2) | fields - TotalCount, SubsetCount

Hope that helps.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...