Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

calculate Field count and pass it for percent calculation

k_harini
Communicator
‎10-13-2016 02:49 AM

Hi,
I'm a newbie to splunk. Struggling with a query. All i want to do now is pass the total value so that i can calculate the %. One part of query is done. Other part I'm facing issue - to pass total value
Tried this
1. index="my_index" | eval reformat_time= strftime(strptime('Due Date',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|where (reformat_time >= now_time) AND ('Status'!="Oxxx") |stats count as Missed_count count(eval(index=” my_index”) as Total|table Missed_count Total .. I'm not able to get total and hence could not calculate completed %. I got missed count. Im looking for total count to calculate %.
2. Tried with eventstats too
index="charm_normal_index"|eventstats count as Total_events|eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|where (reformat_time >= now_time) AND ('System Status'!="Completed") |stats count as Missed_count| table Missed_count Total_events

No luck. Please help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-13-2016 04:47 AM

There are a couple of ways you can do this.. You almost has both of them.. Try one of these

Using eventstats

index="charm_normal_index"|eventstats count as Total_events | where (reformat_time >= now_time) AND ('System Status'!="Completed") | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Missed_count values(Total_events) as Total_events

Using stats

index="charm_normal_index"|eventstats count as Total_events | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Total_events count(eval((reformat_time >= now_time) AND ('System Status'!="Completed") )) as Missed_count

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-13-2016 04:47 AM

There are a couple of ways you can do this.. You almost has both of them.. Try one of these

Using eventstats

index="charm_normal_index"|eventstats count as Total_events | where (reformat_time >= now_time) AND ('System Status'!="Completed") | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Missed_count values(Total_events) as Total_events

Using stats

index="charm_normal_index"|eventstats count as Total_events | eval reformat_time= strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y") | eval now_time=strftime(now(),"%d.%m.%Y") | stats count as Total_events count(eval((reformat_time >= now_time) AND ('System Status'!="Completed") )) as Missed_count
Reply
Solved! Jump to solution

k_harini
Communicator
‎10-13-2016 10:45 AM

Hi,

Using stats worked. 1st query did not work. There is another option with join. I did with that. Thanks a lot for your response

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...