Solved: how to display percentage of total

BertKraan · ‎01-29-2014

I count all my httpstatus'ses and get a neat result using:

index=prd_access sourcetype="access:web:iis:project" | chart count by httpstatus | addcoltotals count

Using addcoltotals I even have the grand total of all httpstatus'ses.

Now what I would like to do is displaying the http code followed by percentage of the total, something along the lines of:

200 95,9 %

304 3,1 %

404 0,1 %

et cetera

I'm sure this has been done before but can someone point me in the right direction?

Thanks in advance,

Bert

Ayn · ‎01-29-2014

Using eventstats might be better:

index=prd_access sourcetype="access:web:iis:project" | eventstats count as totalcount | chart count,first(totalcount) as totalcount by httpstatus | eval percentage=count/totalcount

View solution in original post

Ayn · ‎01-29-2014

Using eventstats might be better:

index=prd_access sourcetype="access:web:iis:project" | eventstats count as totalcount | chart count,first(totalcount) as totalcount by httpstatus | eval percentage=count/totalcount

BertKraan · ‎01-29-2014

Great! Thanks for your answer!

(Is there anything like a structured tutorial into the Splunk search/query language?) I didn't hear of eventstats before, but It solves my problem.

Thanks again!

how to display percentage of total

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor