Solved: Getting a percentage value to show up in a statist...

dbcase · ‎07-25-2016

Hi,

I have this query

earliest=-6w@w1 index=top10 source=/home/oracle/workdir/account_log.csv STATUS="Reason*"|transaction PREMISE maxspan>19d|eventstats count as grandtotal|eventstats count as ptotal by STATUS|chart sparkline(count) as Trend count(STATUS) as Count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by STATUS | sort -Count

And everything works except for the Percentage near the end. I get multiple values in the Percentage column where the Trend and Count columns are just fine

sundareshr · ‎07-25-2016

Try this

earliest=-6w@w1 index=top10 source=/home/oracle/workdir/account_log.csv STATUS="Reason*"
| transaction PREMISE maxspan>19d
| eventstats count as grandtotal
| chart sparkline(count) as Trend count(STATUS) as Count max(grandtotal) as gtotal count as ptotal by STATUS
| eval Percentage=round(ptotal/gtotal*100, 2)
| sort -Count

View solution in original post

sundareshr · ‎07-25-2016

Try this

earliest=-6w@w1 index=top10 source=/home/oracle/workdir/account_log.csv STATUS="Reason*"
| transaction PREMISE maxspan>19d
| eventstats count as grandtotal
| chart sparkline(count) as Trend count(STATUS) as Count max(grandtotal) as gtotal count as ptotal by STATUS
| eval Percentage=round(ptotal/gtotal*100, 2)
| sort -Count

dbcase · ‎07-25-2016

That worked perfectly!!!! Thanks Sundareshr!!!!

dbcase · ‎07-25-2016

Looks like this
Trend Count Percentage
(sparkline is here) 2791 0.05
0.15
0.25
0.41
0.82

Getting a percentage value to show up in a statistics table

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor