Splunk Search

calculate percentage from two sums?

dang
Path Finder

I'm hoping this doesn't stretch the bounds of "no question is too 'newbie'" part of the FAQ:

I'm attempting to perform a simple calculation of sum(attempts)/sum(successes) and show three columns of data: successes, attempts and percentage. I can't seem to get this data to display with a timechart span=5m clause. Can anyone help me out with the correct syntax? I did some searching and saw a reference to something that indicates this is on the right track, but I can't seem to make it work

eval percent_difference=((sum(attempts)/sum(Successes))*100) | table percent_difference

Splunk returns "Error in 'eval' command: The 'sum' function is unsupported." when I use this.

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

are 'attempts' and 'successes' fields that are being extracted from each event?

Is the difference in casing intentional? In one place you say 'successes', but in the search it's in title case. (beware that field names in splunk are case-sensitive)

Assuming the events in <your search> are returning fields called 'attempts' and 'successes', the following will give you a timechart where the y-axis is showing the percentage of successes for each time-bucket in the chart.

<your search> | timechart sum(attempts) as totalAttempts sum(successes) as totalSuccesses     
| eval percent=totalSuccesses*100/totalAttempts | fields - totalAttempts totalSuccesses

View solution in original post

sideview
SplunkTrust
SplunkTrust

are 'attempts' and 'successes' fields that are being extracted from each event?

Is the difference in casing intentional? In one place you say 'successes', but in the search it's in title case. (beware that field names in splunk are case-sensitive)

Assuming the events in <your search> are returning fields called 'attempts' and 'successes', the following will give you a timechart where the y-axis is showing the percentage of successes for each time-bucket in the chart.

<your search> | timechart sum(attempts) as totalAttempts sum(successes) as totalSuccesses     
| eval percent=totalSuccesses*100/totalAttempts | fields - totalAttempts totalSuccesses

dang
Path Finder

Thanks! I was able to get this to work. The mixed case was accidental, and thanks for pointing it out.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...