Splunk Search

Combining stats search results

Thuan
Explorer

I run a search on a field that has multiple values. For example the field quest_name has the following values

quest_name  

1 wpad.TASCNET.tasc.com
2 wpad.tascnet.tasc.com
3 wpad.stafford.net

1). I can compute the number of records that exists for each field value with the following search

index=dns* quest_name=wpad* | stats count by quest_name | sort - count

The results are

quest_name      count

1 wpad.TASCNET.tasc.com 5777
2 wpad.tascnet.tasc.com 1324
3 wpad.stafford.net 225

2). I can compute the total number of records for all values for quest_name with the following search

index=dns* quest_name=wpad* | stats count(quest_name) AS total

The results are

total

1 9492

3). Now I want to obtain the percentage of each field value in relation to the "total" value using a single search to show the following calculations:

quest_name      count   percent

1 wpad.TASCNET.tasc.com 5777 5777/9492=
2 wpad.tascnet.tasc.com 1324 1324/9492=
3 wpad.stafford.net 225 225/9492=

This I have not been able to do. Your help is requested. Thank you.

Tags (1)
0 Karma

Thuan
Explorer

Thank you for the diversity of answers.
I now get to know how to use subsearch, join, eventstats.
One note though about the captchas. I have tried to answer much earlier but I have so many captchas.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The top command can definitely give you the result.

  index=dns quest_name=wpad* | top limit=0 quest_name

Other option is as below:

index=dns quest_name=wpad | stats count by quest_name | sort - count | eventstats sum(count) as total | eval percent=round(count*100/total,2) | fields - total
0 Karma

linu1988
Champion

Hello Thuan,
Try this

index=dns quest_name=wpad | stats count by quest_name|eval a="a1"|join a[|search index=dns quest_name=wpad | stats count(quest_name) AS total|eval a="a1"|table a,total]|eval percent=(count/total)*100|eval percentage=percent.%|table quest_name,count,percentage

OR you may as look at the below simple one, i guess both give the same result.

index=dns quest_name=wpad*|top quest_name

Thanks

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...