- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to display the percentage of...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk newbie here so please bear with me.
Given the table/records below, how can I build a bar chart with the percent of tickets sold based on a search string?
For instance, if string = "Metallica" then sum up 3 + 1 = 4 and calculate the percentage of 10 sold tickets total.
For instance, if string = "Metallica Cover" then 1 is the total and calculate the percentage of 10 total.
Tickets Sold
Metallica 3
Metallica Cover 1
U2 1
Soundgarden 1
Britney Spears 0
U2 2
Metallica 2
I managed to count the number of entries of each Ticket but what I need is to calculate the number of tickets sold, so the query below is wrong:
| eval tickets=Tickets | replace
*Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden*
with Soundgarden, *Britney*Spears*
with "Britney Spears" in tickets | top
limit=15 useother=t tickets
I could also use the following => stats count by tickets
but I need to be able to count the num Sold by searching a specific string.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
..| eval tickets=Tickets | replace *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden* with Soundgarden, *Britney*Spears* with "Britney Spears" in tickets
| stats sum(Sold) as Sold by tickets | eventstats sum(Sold) as TotalSold
| eval Percentage=round(Sold*100/TotalSold,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
..| eval tickets=Tickets | replace *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden* with Soundgarden, *Britney*Spears* with "Britney Spears" in tickets
| stats sum(Sold) as Sold by tickets | eventstats sum(Sold) as TotalSold
| eval Percentage=round(Sold*100/TotalSold,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That actually worked. I was comparing the data with an Excel spreadsheet and Splunk had a filter. All good. Thank you so much!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
