Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Percentage of counts (view through rates)

kramsay
Engager
‎01-09-2014 07:42 AM

I am looking to get percentages into a table.

I have 2 separate searches that count different events. I will like to combine the different searches into one table where the event count searches divide by the counts of the other search.

For example. If one search has a count of 50 and the other search has a count of 90. I will like a to create a table that shows 50/90= 55%.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-09-2014 08:13 AM

Try something like this.

<your first search | stats count(blah) as count_first> | appendcols [search <your send search | stats count(blahblah) as count second >] | eval perc=round(count_first*100/count_second,2)

Updated query per your example

index=www VTR=100 OR VTR=50| stats count(eval(VTR=100)) as Count100, count(eval(VTR=50)) as Count50 | eval percentage=(Count100/Count50)*100

View solution in original post

Reply
Solved! Jump to solution

kramsay
Engager
‎01-09-2014 12:01 PM

Here is a sample search:

Search 1
index=www VTR=100 | stats count(VTR)

Search 2
index=www VTR=50 | stats count(VTR)

Thanks.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎01-09-2014 09:27 AM

Can you post a sample search? It can probably be done without using appends (which are inefficient)

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-09-2014 08:13 AM

Try something like this.

<your first search | stats count(blah) as count_first> | appendcols [search <your send search | stats count(blahblah) as count second >] | eval perc=round(count_first*100/count_second,2)

Updated query per your example

index=www VTR=100 OR VTR=50| stats count(eval(VTR=100)) as Count100, count(eval(VTR=50)) as Count50 | eval percentage=(Count100/Count50)*100
Reply
Solved! Jump to solution

kramsay
Engager
‎01-09-2014 02:50 PM

Thanks so much that worked like a charm

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-09-2014 01:17 PM

Ohh my bad. "<" was just used as placeholder for your search string. see updated answer per your example.

0 Karma
Reply
Solved! Jump to solution

kramsay
Engager
‎01-09-2014 12:09 PM

I tried the following:

| appendcols [search ] | eval perc=round(count_first*100/count_second,2)

but i am getting the following error.

Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left hand side.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...