How do you calculate the percentage of log entries...

wtanaka · ‎08-19-2011

I have a log where each event can be given a boolean field with:

| eval myfield=case(n > 0, "A", n=0, "B")

So some events have myfield = "A", others have myfield = "B", and others have myfield unset.

I'd like a graph with the X axis being "time" and the Y axis being the percentage of events that have n = "A" -- more specifically, the number of events that have n = "A" divided by number of events that have either (n = "A" or n = "B").

How do I do that?

bbingham · ‎08-19-2011

You can use eval's inside of the functions of the charting modules to check if something is true.

|timechart span=15m count as "Total_Events" count(eval(myfield="a")) as "Total_A" count(eval(myfield="b")) as "Total_B" | eval percent_a=Total_A/Total_Events | eval percent_b=Total_B/Total_Events | fields percent_a,percent_b

If you want to only see a ratio of A to B, simply replace the division of "total_events" with the respective value.

sideview · ‎08-19-2011

This should work.

<your search> | eval myfield=case(n > 0, "A", n=0, "B") | timechart count by myfield | eval total=A+B | eval Aperc=100*A/total | eval Bperc=100*B/total | fields _time Aperc Bperc

Also, for when you have more than two values going on, | addtotals will be more useful to you than | eval total=A+B. (Note that addtotals creates a field called 'Total' and field names are case-sensitive.)

How do you calculate the percentage of log entries that have a specific value in a field out of the total number of entries that have that field defined, bucketed by time?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases