I've got a search which returns a simple table like this one:
clean 61234 cleaned 22 infected 173 spam 87134
I'd like to calculate percentages from these results. I don't seem to be able to eval total=sum(count) to then perform arbitrary math, and top gives a count of one for each item, so they're all at 25%.
you can use the eventstats command to do this. Eventstats is a very unusual command but it was added to do things like this, where you want statistics about the entire search results but you want those statistics available as fields on each event.
eventstats sum(count) as total
will take the sum of all the count fields across all the rows in the set, and add that as a total
field on each event
So the desired end goal is:
<your search> | eventstats sum(count) as total | eval percent=100*count/total | strcat percent "%" percent
Read more about eventstats and see more examples at: http://www.splunk.com/base/Documentation/latest/SearchReference/Eventstats
Hi smisplunk. If you're seeing top report 25% for each of these values
clean 61234
cleaned 22
infected 173
spam 87134
then you may be piping to top after another summary operation.
If I perform a search
* | stats count by sourcetype | top sourcetype
It will show me that each sourcetype has an equal share (due to summary operation rolling-up the count for all sourcetypes to 1)
sourcetype count percent
test-too_small 1 33.333333
new-too_small 1 33.333333
fs_notification 1 33.333333
We need to drop the previous summary operation to let top work its magic
* | top sourcetype
That will return the percentage value pre-aggregation (notice the counts for each are now 8, 3, and 1 instead of ones)
sourcetype count percent
fs_notification 8 66.666667
new-too_small 3 25.000000
test-too_small 1 8.333333
Nick's (above) suggestion, 4TW:
* | stats count by sourcetype | eventstats sum(count) as total | eval percent=100*count/total | strcat percent "%" percent
sourcetype count percent total
fs_notification 8 66.666667% 12
new-too_small 3 25% 12
test-too_small 1 8.333333% 12
you can use the eventstats command to do this. Eventstats is a very unusual command but it was added to do things like this, where you want statistics about the entire search results but you want those statistics available as fields on each event.
eventstats sum(count) as total
will take the sum of all the count fields across all the rows in the set, and add that as a total
field on each event
So the desired end goal is:
<your search> | eventstats sum(count) as total | eval percent=100*count/total | strcat percent "%" percent
Read more about eventstats and see more examples at: http://www.splunk.com/base/Documentation/latest/SearchReference/Eventstats
Instead of strcat, it is better to use fieldformat like this: | fieldformat percent=percent+"%"
Use the 'top' search operator, which will include the percentages.
http://www.splunk.com/base/Documentation/4.1.2/SearchReference/Top