Hello
This is my data:
2015-07-24 12:18:05 A=10 B=20 C=30 D=15
2015-07-24 12:18:15 A=20 B=210 C=320 D=150
2015-07-24 12:18:25 A=20 B=210 C=320 D=150
2015-07-24 12:18:35 A=20 B=10 C=30 D=50
I am able to show total in the last row with following search:
index = "localindex" source = "/var/log/localtest.log" | table Column A,B,C,D | addtotals col=t labelfield=Column label=" TOTALS" fieldname="SUM"
I need to show PERCENTAGE in the last row of the table. The value should like (sum(A)/sum(A+B+C+D))*100
and this calculation needs to repeat for each column A, B, C, D, and also include the SUM.
Please suggest me how I can do that.
Since you already have the SUM field (I think I always have to play with addtotals manually) from adding A - D your next step is to use the foreach command
index = "localindex" source = "/var/log/localtest.log" | table Column A,B,C,D | addtotals col=t labelfield=Column label=" TOTALS" fieldname="SUM" | foreach A B C D [ eval <<FIELD>>_perc = round((<<FIELD>> / SUM)*100, 1) . " %" ]
You might want to take out the bit where I've added the % sign in case you want to sort by the values and maybe use a fieldformat command. Unfortunately you can't do a foreach on fieldformat. Give that a shot and see if it helps.
Sorry if I misunderstood your question but at the end you want to repeat the same perc value for each column ? Anyway try appendpipe and do the calculation inside. For eg:
index=test|table column A B C D|addtotals col=t labelfield=column label=" TOTALS" fieldname="SUM"|appendpipe [stats sum(A) as A,sum(B) as B,sum(C) as C,sum(D) as D,sum(SUM) as SUM|eval perc=(A/(A+B+C+D))*100|eval A=perc|eval B=perc|eval C=perc|eval SUM=perc|eval D=perc]|fields - perc
This might not be the result you want but a pointer.