I am trying to calculate percentage from a field in my lookup (xyz ) to an event field in splunk (abc). Technically its abc/xyz* 100. Does splunk has a function?
Try this
index=youreventsindex | stats count by CVE | appendpipe [ | inputlookup lookup.csv | stats count by CVE | rename count as fromLU] | eval perc=tostring(fromLU/count*100, "commas")."%"
index=xyz | stats dc(Name) as totalcve |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve]| eval perc=tostring(totalcve/Totalcve*100,"commas")."%"
Implement the above query. how can I output the result by severity, which is an event field from within the index=xyz
Assuming you have severity
field in the csv as well (else, how will you match?) you can do this
index=xyz | stats dc(Name) as totalcve by severity |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve by severity]| eval perc=tostring(totalcve/Totalcve*100,"commas")."%"
OR
If you want to compare % in index by severity vs total in csv, try this
index=xyz | stats dc(Name) as totalcve by severity |appendcols [|inputlookup cve_08042016.csv| stats count(Name) as Totalcve]| filldown Totalcve | eval perc=tostring(totalcve/Totalcve*100,"commas")."%"
You should be able to do this:
yoursearchhere
| yourlookuphere
| eval percent = round(abc /xyz * 100, 1)
Assuming that your search gives you a numeric field named abc and the lookup gives you a field named xzy, the eval command will create a new field named percent, and will calculate the percentage for every event.
If you want to compute an overall percentage based on a count of the events or some other statistic (which seems to be what some of the commenters were asking), then you might need to use a stats command or something else prior to the eval...
How are the lookup field and splunk's event field related? Do they have a common field value based on which it can be matched?
So the event field is a list of CVE's that splunk spit out and the lookup has CVE's from NVD.
Are you wanting to calculate the number of CVEs present in the events vs in the lookup?
I have the numbers. just trying to figure out the %. And my question was does splunk has % as function?
There's no built in % function. You will have to do abc/xzy*100. To format you can do tostring(abc/xyz*100, "commas")."%"
abc and xyz have same fieldnames one is an event field and other is an lookup. and the y have CVE id, I just need to find the %
how can I use the lookup as subsearch to get the count and find the %?