Splunk Search

Stats as Percentages Of Total

HeinzWaescher
Motivator

Hi,

I have a search like this:

search... | fields + user, country| stats dc(user) AS Users by country | sort - Users

The result is a table like this:

Country A - 1000

Country B - 500

Country C - 500

Is there an easy way to display the share per country in %?

Country A - 50

Country B - 25

Country C - 25

Tags (2)
0 Karma

sansay
Contributor

The corrected query is:

search... | fields + user, country| eventstats dc(user) as totalcount | stats dc(user) AS Users by country, totalcount | eval countrypercent=Users/totalcount*100 | sort - Users

The problem with the original query is that it didn't pass totalcount in the stats statement.
So the percentage could not be calculated.

Ayn
Legend

You can calculate a total distinct count and then divide your Users value by this to get a percentage.

search... | fields + user, country| eventstats dc(user) as totalcount | stats dc(user) AS Users by country | eval countrypercent=Users/totalcount*100 | sort - Users

GeorgeStarkey
Path Finder

I downvoted this post because refined query in later post solves the problem.

0 Karma

HeinzWaescher
Motivator

It looks like this now:

search...| fields + user

| eventstats dc(user) as totalcount
| stats dc(user) AS Users by Country
| eval countrypercent=Users/totalcount*100

This results in the original table including the total counts per Country. I also tried out to find the entries for totalcount with "| table totalcount". But there are no results

0 Karma

Ayn
Legend

Neither eventstats nor eval filter events in any way so I suspect you're doing some other error. What does your search look like now?

0 Karma

HeinzWaescher
Motivator

Hey,

i tried this out, but Splunk tells me "no results found" after adding the eventstats & eval command.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...