Hi,
I have a search like this:
search... | fields + user, country| stats dc(user) AS Users by country | sort - Users
The result is a table like this:
Country A - 1000
Country B - 500
Country C - 500
Is there an easy way to display the share per country in %?
Country A - 50
Country B - 25
Country C - 25
The corrected query is:
search... | fields + user, country| eventstats dc(user) as totalcount | stats dc(user) AS Users by country, totalcount | eval countrypercent=Users/totalcount*100 | sort - Users
The problem with the original query is that it didn't pass totalcount in the stats statement.
So the percentage could not be calculated.
You can calculate a total distinct count and then divide your Users value by this to get a percentage.
search... | fields + user, country| eventstats dc(user) as totalcount | stats dc(user) AS Users by country | eval countrypercent=Users/totalcount*100 | sort - Users
I downvoted this post because refined query in later post solves the problem.
It looks like this now:
search...| fields + user
| eventstats dc(user) as totalcount
| stats dc(user) AS Users by Country
| eval countrypercent=Users/totalcount*100
This results in the original table including the total counts per Country. I also tried out to find the entries for totalcount with "| table totalcount". But there are no results
Neither eventstats nor eval filter events in any way so I suspect you're doing some other error. What does your search look like now?
Hey,
i tried this out, but Splunk tells me "no results found" after adding the eventstats & eval command.