I am new to splunka and have a question on charting percentage field that is derived from search/query result.
Splunk indexed logs:
2013-10-11 17:46:22,539 INFO [com.xxx.yyy] score=891 url_id=200
I would like to chart a % of urls whose score < 100.
I use below query to get list of score count.
host="abc" AND com.xxx.yyy "score" | chart count by score
How can I calculate a percentage of score <100 using splunk?
Try below query
host="abc" AND com.xxx.yyy | stats count(eval(score<100)) as CountLess, count as Total by date_hour| eval perc=CountLess*100/Total | fields date_hour,perc
Try below query
host="abc" AND com.xxx.yyy | stats count(eval(score<100)) as CountLess, count as Total by date_hour| eval perc=CountLess*100/Total | fields date_hour,perc