Solved: Calculating a total for use later to calculate a p...

lehrfeld · ‎02-26-2014

I am trying to calculate an overall total value for use later in my pipeline in a percentage calculation. My data looks like this

Bucket  userID  ...
1        mike
1        joe
1        sally
2        mike
2        tim
2        sally
3        mike

Report would look like this

userID #_of_buckets_in percentage
mike      3              100
joe       1              33.3
sally     2              66.6

My base search looks like this

| stats count by userID

This gives be userID and the #_of_buckets_in. When I try to add | dc(bucket) as totalBuckets to the search it only tallies up the buckets that the user is in and not the Total number of buckets.

All the data is in the same sourcetype. Thanks for any suggestions!

Mike

somesoni2 · ‎02-26-2014

Try this

your base search | eventstats dc(bucket) as UniqBuckets | stats count as #_of_buckets_in by UserID, UniqBuckets | eval percentage=round((#_of_buckets_in*100)/UniqBuckets,1) | fields - UniqueBuckets

View solution in original post

somesoni2 · ‎02-26-2014

Try this

your base search | eventstats dc(bucket) as UniqBuckets | stats count as #_of_buckets_in by UserID, UniqBuckets | eval percentage=round((#_of_buckets_in*100)/UniqBuckets,1) | fields - UniqueBuckets

Calculating a total for use later to calculate a percentage

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!