- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to show a percentage of the total events in a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel dumb for asking something so simple, but I can't make this work. I'm trying to show a percentage I've calculated as a piechart:
| dbxquery query=stuff | stats count(eval(Start_Date_Time >
End_Date_Time)) as breach count as total | eval percent=breach/total*100 | eval total=total/total*100 | chart max(percent) over total
As you can see, I calculated both the percent of events where the start time is greater than the end time, and the corresponding total, which, of course is 100%. All I need to do now is show it in a pie chart. I calculated the total percent due to the chart only showing a solid block of color for my percent. I was hoping that I could use it to show the percentage correctly, but I was wrong on that.
Also, I can't use top; I need to consider all the events, not just the top values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| dbxquery query=stuff
| stats count(eval(Start_Date_Time > End_Date_Time)) as breach count as total
| eval breach=100*breach/total
| eval non-breach=100-breach
| transpose
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| dbxquery query=stuff
| stats count(eval(Start_Date_Time > End_Date_Time)) as breach count as total
| eval breach=100*breach/total
| eval non-breach=100-breach
| transpose
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This actually works very well. I just made a minor modification to get rid of the total field.
| dbxquery query=stuff
| stats count(eval(Start_Date_Time > End_Date_Time)) as breach count as total
| eval breach=100*breach/total
| eval non-breach=100-breach
| transpose
Now I'm just going to figure out how to show count with it. Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you don't do the percentage and just show raw values for breach and non-breach it should show both count and percent.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pie chart requires a by-clause
Try
| chart max(percent) by something
You don't even have to calculate the percent
This might work:
| stats max(breach) by _time
You need your data to end up with multiple rows and more than one column like this:
hostname,breach_count
HostA,25
HostB,75
Then | stats max(breach_count) by hostname
would have a pie chart where the total is 100 and HostA would be 25% and HostB would be 75%.
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
