Splunk Search

Percentage of counts (view through rates)

kramsay
Engager

I am looking to get percentages into a table.

I have 2 separate searches that count different events. I will like to combine the different searches into one table where the event count searches divide by the counts of the other search.

For example. If one search has a count of 50 and the other search has a count of 90. I will like a to create a table that shows 50/90= 55%.

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this.

<your first search | stats count(blah) as count_first> | appendcols [search <your send search | stats count(blahblah) as count second >] | eval perc=round(count_first*100/count_second,2)

Updated query per your example

index=www VTR=100 OR VTR=50| stats count(eval(VTR=100)) as Count100, count(eval(VTR=50)) as Count50 | eval percentage=(Count100/Count50)*100

View solution in original post

kramsay
Engager

Here is a sample search:

Search 1
index=www VTR=100 | stats count(VTR)

Search 2
index=www VTR=50 | stats count(VTR)

Thanks.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Can you post a sample search? It can probably be done without using appends (which are inefficient)

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this.

<your first search | stats count(blah) as count_first> | appendcols [search <your send search | stats count(blahblah) as count second >] | eval perc=round(count_first*100/count_second,2)

Updated query per your example

index=www VTR=100 OR VTR=50| stats count(eval(VTR=100)) as Count100, count(eval(VTR=50)) as Count50 | eval percentage=(Count100/Count50)*100

kramsay
Engager

Thanks so much that worked like a charm

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Ohh my bad. "<" was just used as placeholder for your search string. see updated answer per your example.

0 Karma

kramsay
Engager

I tried the following:

| appendcols [search ] | eval perc=round(count_first*100/count_second,2)

but i am getting the following error.

Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left hand side.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...