Splunk Search

How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?

otman01
Communicator

Hi,

I want to create a dashboard using these 2 searches:
1) the first one index='text' | count, will give a result. For example result=250
2) the second one will be based on the result of the first one
index='text' type='cpu'| eventstats sum(nombre) as total | eval pourcentage=round((nombre/result)*100,2) | table EventType, nombre, pourcentage

Do you have an idea how to do this?
Thank you all, have a nice day

Tags (3)

chimell
Motivator
0 Karma

otman01
Communicator

Thank you I could find another solution, for my case I use WHERE expression to extrat just one line

0 Karma

chimell
Motivator

Hi otman01
Try this xml code

    <dashboard>
      <label>fcff</label>
      <row>
        <panel>
          <chart>
            <search>
              <query>source="WinEventLog:*" | chart count AS result</query>
              <earliest>0</earliest>
              <latest>now</latest>
            </search>
          </chart>
        </panel>
      </row>
    <row>
        <panel>
          <chart>
            <search>
              <query> source="WinEventLog:*" EventType=0 | chart count by EventType </query>
              <earliest>0</earliest>
              <latest>now</latest>
            </search>
          </chart>
        </panel>
      </row>
    <row>
        <panel>
          <chart>
            <search>
              <query> source="WinEventLog:*" | chart count as nombre by EventType | eventstats sum(nombre) as total | eval percentage=round((nombre/total)*100,2) | table EventType, nombre, percentage </query>
              <earliest>0</earliest>
              <latest>now</latest>
            </search>
          </chart>
        </panel>
      </row>
    </dashboard>
0 Karma

chimell
Motivator

Are you satisfied by my previous answer ? If yes let vote it

otman01
Communicator

Thank you for your answer.
so this is an extrat of the result that the search return:
EventType--------nombre ------------------- percentage
0------------------- 8246 ----------------------- 14.43
1 ------------------- 18 --------------------------- 0.03
2 ------------------- 7512 ----------------------- 13.15
3 ------------------- 3982 ------------------------ 6.97
4 ------------------- 37286 ---------------------- 65.25
5 ------------------- 101 -------------------------- 0.18

What I want to do is extract for example the 2nd row and the 4th row .
Is this is POSSIBLE ?

0 Karma

ppablo
Retired

Hi @otman01

Please be sure than when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You keep typing your responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation. It gets difficult when people don't know who you're responding to. I already converted your answer to a comment, so just something to keep in mind from here on out. Thanks

0 Karma

otman01
Communicator

Yes EventType is a field for me there are a values that it accept (0.1.2.3.4.5.6)
thank you

0 Karma

stephane_cyrill
Builder

Hi, Otman01
try this:
index='text'|count AS result [search index='text' type='cpu'| eventstats sum(nombre) as total ]| eval pourcentage=round((nombre/result)*100,2) | table EventType, nombre, pourcentage

Thanks to vote and Accept if your are satisfied....

0 Karma

otman01
Communicator

I have some problems in the 2 searchs. can you help me ? thank you
"Error in 'chart' command: The argument '( ( EventType=0 AND count=7957 ) )' is invalid."

this is exactely the first search:
source="WinEventLog:*" | chart count AS result

this is the second:
search source="WinEventLog:*" EventType=0 | chart count by EventType

in the general search I do like bellow (it works to give me the percentage)

source="WinEventLog:*" | chart count as nombre by EventType | eventstats sum(nombre) as total | eval percentage=round((nombre/total)*100,2) | table EventType, nombre, percentage

but I want to keep each row in a separate panel .

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...