Splunk Search

How to calculate percent from distinct count?

ra01
Path Finder

I'm aware of a number of questions on here dealing with percents, including: https://answers.splunk.com/answers/120424/how-to-display-percentage-of-total.html

But I can't figure out how to apply it to my question.

I have browser logs of site sessions, and want to report the % breakdown by device type.

This search gets me a table of device totals (by distinct sessions), but how do i make it a %?

eventtype=pageactions tag=external_traffic session_id=*
| fillnull value=blank devicetype
| stats dc(session_id) as unique_sessions by devicetype
| table devicetype unique_sessions
| addtotals row=f col=t labelfield=devicetype label=total

Actually, ideally I'd like to have two columns (both as %) showing the % of distinct events and the % of all events. That way I can see both what device our visitors are using and if one device is causing more traffic.

I can do that from here (if i could just divide by total)

eventtype=pageactions tag=external_traffic session_id=*
| fillnull value=blank devicetype
| stats dc(session_id) as unique_sessions, count as event_counts by devicetype
| table devicetype unique_sessions event_counts 
| addtotals row=f col=t labelfield=devicetype label=total
0 Karma
1 Solution

Jeremiah
Motivator

How about this? Add up the total using eventstats and then calculate the percentage for each row.

| gentimes start=-500 | eval session_id=random() % 500 | eval device_id = random() % 10 | stats dc(session_id) AS unique_sessions by device_id | eventstats sum(unique_sessions) AS total | eval percent=round((unique_sessions/total)*100,2) | table device_id unique_sessions percent

View solution in original post

Jeremiah
Motivator

How about this? Add up the total using eventstats and then calculate the percentage for each row.

| gentimes start=-500 | eval session_id=random() % 500 | eval device_id = random() % 10 | stats dc(session_id) AS unique_sessions by device_id | eventstats sum(unique_sessions) AS total | eval percent=round((unique_sessions/total)*100,2) | table device_id unique_sessions percent

ra01
Path Finder

whoa! thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...