Solved: How to search the percentage of values in a field?

jsmith_splunk · ‎06-02-2016

I'm trying build a bar chart from an asset list that shows by bunit what percentage of a field called last has a value in it.
I used isnotnull to create a field with yes/no values, but I'm not sure how to show the percentage.

| inputlookup my_assets.csv | eval percentage=if(isnotnull(last),"yes","no")

somesoni2 · ‎06-02-2016

You're in right direction. Try like this (using just the count will give total number of rows and count(field) will give count where field has a value)

 | inputlookup my_assets.csv | stats count as total count(last) as count by bunit | eval percent = round(count/total,2)

View solution in original post

somesoni2 · ‎06-02-2016

You're in right direction. Try like this (using just the count will give total number of rows and count(field) will give count where field has a value)

 | inputlookup my_assets.csv | stats count as total count(last) as count by bunit | eval percent = round(count/total,2)

jsmith_splunk · ‎06-02-2016

That was much easier than the direction I was going.
Thank you very much!

somesoni2 · ‎06-02-2016

Can you provide available fields and some sample data from the lookup and expected output?

jsmith_splunk · ‎06-02-2016

dns, nt_host, ip, owner, bunit, category, last
servera.mydomain.com,servera,1.1.1.1,Mark,groupa,linux,6/1/2016 12:08:34
serverb.mydomain.com,serverb,1.1.12,Brian,groupb,windows,,

I can't tell if I'm on the right track or not, I've built the query out to this, but I'm not getting a return for the field count

| inputlookup my_assets.csv | eval hasvalue=if(isnotnull(last),"yes","no") | stats sum(hasvalue=yes) as count by bunit | eventstats sum(hasvalue=no) as total | eval percent = round(count/total,2)

How to search the percentage of values in a field?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life