Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get percentage after case and stats calculations

dwong2
New Member
‎05-07-2018 11:34 AM

...search
| eval Type=case(like(publishId,"%U"),"UnSubscribed",like(publishId,"%S"),"Subscribed")
| stats dc(accountExId) as TotalAccounts count(tile) as count by Type

How do I get a percentage after the above results?
If Subscribed: eval round(count/TotalAccounts*100,2)
If UnSubscribed: eval round(count/totalAccounts*100,2)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-07-2018 11:52 AM

Try like this

...search
| eval Type=case(like(publishId,"%U"),"UnSubscribed",like(publishId,"%S"),"Subscribed") 
| stats dc(accountExId) as TotalAccounts count(tile) as count by Type
| eval Percentage=round(count/TotalAccounts*100,2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-07-2018 11:52 AM

Try like this

...search
| eval Type=case(like(publishId,"%U"),"UnSubscribed",like(publishId,"%S"),"Subscribed") 
| stats dc(accountExId) as TotalAccounts count(tile) as count by Type
| eval Percentage=round(count/TotalAccounts*100,2)
0 Karma
Reply
Solved! Jump to solution

dwong2
New Member
‎05-07-2018 02:59 PM

Just checked the calculations and something is off with my calc's..
For the count(tile) as count by Type:
...this is the data:
accountId=12345678
tile=tile1

accountId=87654321
tile=tile2

accountId=12345678
tile=tile3

How can I get the distinct count for accountId? For the above example, I only want to count accountId twice because all I care about is if the accountId has at least one entry for tile... so the count should be only 2.

0 Karma
Reply
Solved! Jump to solution

dwong2
New Member
‎05-07-2018 01:31 PM

Didn't know that the eval Percentage would calculate for both Subscribed and UnSubscribed with one statement. Thought that I would have to explicitly call it out. Anyways, works like a charm. Thank You!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-07-2018 01:37 PM

Yes.. with stats command, both values are coming under single field 'Type', so single eval (which is done for each row) is sufficient.

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...