Solved: calculating percentage using eval and stats comman...

manju1318 · ‎07-14-2023

Hi, I am working on a task: calculating the percentage of employees working in food industry for each country. I tried to develop the code but its not working. please correct my where its mistake.

| stats sum("Number of employees") as Total_Emp by Country
| where Industry="Food*"
| stats sum("Number of employees") as Food_Emp by Country
| eval Percent = round((Food_Emp/Total_Emp)*100,2)."%"

PickleRick · ‎07-14-2023

Each command in the search pipeline knows only the results from preceeding commands (probably that's why the pipe sign to separate them because it's very similar to shell stream processing). So as soon as you do the first stats command you lose the information about raw data and can only operate on aggregated results.

There are several possible approaches to your problem but I'd do it like this:

| stats sum('Number of employees') as overall sum(eval(if(like(Industry,"Food%"),'Number of employees',0))) as food by Country

(Might have some mismatched parentheses)

View solution in original post

manju1318 · ‎07-14-2023

thank you for responding.

PickleRick · ‎07-14-2023

Each command in the search pipeline knows only the results from preceeding commands (probably that's why the pipe sign to separate them because it's very similar to shell stream processing). So as soon as you do the first stats command you lose the information about raw data and can only operate on aggregated results.

There are several possible approaches to your problem but I'd do it like this:

| stats sum('Number of employees') as overall sum(eval(if(like(Industry,"Food%"),'Number of employees',0))) as food by Country

(Might have some mismatched parentheses)

calculating percentage using eval and stats commands

eval

fields

stats

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!