Splunk Search

Calculate percentage from an event field and lookup field

ashishlal82
Explorer

I am trying to calculate percentage from a field in my lookup (xyz ) to an event field in splunk (abc). Technically its abc/xyz* 100. Does splunk has a function?

Tags (3)
0 Karma

sundareshr
Legend

Try this

index=youreventsindex | stats count by CVE | appendpipe [ | inputlookup lookup.csv | stats count by CVE | rename count as fromLU] | eval perc=tostring(fromLU/count*100, "commas")."%"
0 Karma

ashishlal82
Explorer
index=xyz | stats dc(Name) as totalcve |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve]| eval perc=tostring(totalcve/Totalcve*100,"commas")."%" 

Implement the above query. how can I output the result by severity, which is an event field from within the index=xyz

0 Karma

sundareshr
Legend

Assuming you have severity field in the csv as well (else, how will you match?) you can do this

index=xyz | stats dc(Name) as totalcve by severity |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve by severity]| eval perc=tostring(totalcve/Totalcve*100,"commas")."%"

OR
If you want to compare % in index by severity vs total in csv, try this

index=xyz | stats dc(Name) as totalcve by severity |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve]| filldown Totalcve | eval perc=tostring(totalcve/Totalcve*100,"commas")."%"
0 Karma

lguinn2
Legend

You should be able to do this:

yoursearchhere
| yourlookuphere
| eval percent = round(abc /xyz * 100, 1)

Assuming that your search gives you a numeric field named abc and the lookup gives you a field named xzy, the eval command will create a new field named percent, and will calculate the percentage for every event.

If you want to compute an overall percentage based on a count of the events or some other statistic (which seems to be what some of the commenters were asking), then you might need to use a stats command or something else prior to the eval...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How are the lookup field and splunk's event field related? Do they have a common field value based on which it can be matched?

0 Karma

ashishlal82
Explorer

So the event field is a list of CVE's that splunk spit out and the lookup has CVE's from NVD.

0 Karma

sundareshr
Legend

Are you wanting to calculate the number of CVEs present in the events vs in the lookup?

0 Karma

ashishlal82
Explorer

I have the numbers. just trying to figure out the %. And my question was does splunk has % as function?

0 Karma

sundareshr
Legend

There's no built in % function. You will have to do abc/xzy*100. To format you can do tostring(abc/xyz*100, "commas")."%"

0 Karma

ashishlal82
Explorer

abc and xyz have same fieldnames one is an event field and other is an lookup. and the y have CVE id, I just need to find the %

0 Karma

ashishlal82
Explorer

how can I use the lookup as subsearch to get the count and find the %?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...