Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to display the percentage of tickets sold based on a conditional search string?

maximusdm
Communicator
‎12-16-2016 07:03 AM

Splunk newbie here so please bear with me.
Given the table/records below, how can I build a bar chart with the percent of tickets sold based on a search string?
For instance, if string = "Metallica" then sum up 3 + 1 = 4 and calculate the percentage of 10 sold tickets total.
For instance, if string = "Metallica Cover" then 1 is the total and calculate the percentage of 10 total.

Tickets           Sold

Metallica           3
Metallica Cover      1
U2                 1
Soundgarden       1
Britney Spears     0
U2                 2
Metallica           2

I managed to count the number of entries of each Ticket but what I need is to calculate the number of tickets sold, so the query below is wrong:

 | eval tickets=Tickets | replace
 *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden*
 with Soundgarden, *Britney*Spears*
 with "Britney Spears" in tickets | top
 limit=15 useother=t tickets

I could also use the following => stats count by tickets
but I need to be able to count the num Sold by searching a specific string.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-16-2016 09:01 AM

Try something like this

..| eval tickets=Tickets | replace *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden* with Soundgarden, *Britney*Spears* with "Britney Spears" in tickets 
| stats sum(Sold) as Sold by tickets | eventstats sum(Sold) as TotalSold
| eval Percentage=round(Sold*100/TotalSold,2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-16-2016 09:01 AM

Try something like this

..| eval tickets=Tickets | replace *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden* with Soundgarden, *Britney*Spears* with "Britney Spears" in tickets 
| stats sum(Sold) as Sold by tickets | eventstats sum(Sold) as TotalSold
| eval Percentage=round(Sold*100/TotalSold,2)
0 Karma
Reply
Solved! Jump to solution

maximusdm
Communicator
‎12-16-2016 12:33 PM

That actually worked. I was comparing the data with an Excel spreadsheet and Splunk had a filter. All good. Thank you so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...