Splunk Search

Top percentage from stats output?

smisplunk
Path Finder

I've got a search which returns a simple table like this one:

clean    61234
cleaned     22
infected   173
spam     87134

I'd like to calculate percentages from these results. I don't seem to be able to eval total=sum(count) to then perform arbitrary math, and top gives a count of one for each item, so they're all at 25%.

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

you can use the eventstats command to do this. Eventstats is a very unusual command but it was added to do things like this, where you want statistics about the entire search results but you want those statistics available as fields on each event.

eventstats sum(count) as total will take the sum of all the count fields across all the rows in the set, and add that as a total field on each event

So the desired end goal is:

<your search> | eventstats sum(count) as total | eval percent=100*count/total | strcat percent "%" percent

Read more about eventstats and see more examples at: http://www.splunk.com/base/Documentation/latest/SearchReference/Eventstats

View solution in original post

bwooden
Splunk Employee
Splunk Employee

Hi smisplunk. If you're seeing top report 25% for each of these values

clean 61234
cleaned 22
infected 173
spam 87134

then you may be piping to top after another summary operation.

If I perform a search

* | stats count by sourcetype | top sourcetype

It will show me that each sourcetype has an equal share (due to summary operation rolling-up the count for all sourcetypes to 1)

sourcetype     count     percent
test-too_small     1     33.333333
new-too_small     1     33.333333
fs_notification     1     33.333333

We need to drop the previous summary operation to let top work its magic

* | top sourcetype

That will return the percentage value pre-aggregation (notice the counts for each are now 8, 3, and 1 instead of ones)

sourcetype     count     percent
fs_notification     8     66.666667
new-too_small     3     25.000000
test-too_small     1     8.333333


Nick's (above) suggestion, 4TW:

* | stats count by sourcetype | eventstats sum(count) as total | eval percent=100*count/total | strcat percent "%" percent

sourcetype     count     percent          total
fs_notification     8     66.666667%     12
new-too_small    3     25%                 12
test-too_small     1     8.333333%      12

sideview
SplunkTrust
SplunkTrust

you can use the eventstats command to do this. Eventstats is a very unusual command but it was added to do things like this, where you want statistics about the entire search results but you want those statistics available as fields on each event.

eventstats sum(count) as total will take the sum of all the count fields across all the rows in the set, and add that as a total field on each event

So the desired end goal is:

<your search> | eventstats sum(count) as total | eval percent=100*count/total | strcat percent "%" percent

Read more about eventstats and see more examples at: http://www.splunk.com/base/Documentation/latest/SearchReference/Eventstats

haridsv
Engager

Instead of strcat, it is better to use fieldformat like this: | fieldformat percent=percent+"%"

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Use the 'top' search operator, which will include the percentages.

http://www.splunk.com/base/Documentation/4.1.2/SearchReference/Top

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...