Splunk Search

Percentage calculation by timechart

vikram_m
Path Finder

We have a request to get values from particular field based on % of bin count.

(1) index=ABC | timechart span=1d count by => By this we get count of the bins for the particular days spanned by day

(2) index=ABC| top limit=0 => By this we get the bin % of the field value but it is not spanned but for the number of days we select in time picker.

So I am looking for a search which will:
i. calculate the bin count of the values in i.e error no 400, 200, 201, 208 separately also these should be spanned based on timechart we specify and i.e if I want bin count per day basis for the month it should show that.

Thanks for the help in query in advance.

beriwalnishant
Path Finder

Can you explain this query...the logic etc

0 Karma

vikram_m
Path Finder

Thanks cmerriman , renjith.nair for your replies. One of my collegue also found exactly what client was looking for the querry looks as pasted below. But however the querries you guys mentioned above also I'll try that so we have some more querries ready incase if client comes with some thing new. 🙂

index=<Index_Name> CustomField=<Custom_Field1> CustomField=<Custom_Field2>| bucket _time span=1d | stats count by _time,<Custom_Field2> | eventstats sum(count) as total by _time | eval percent=((count/total)*100)| table _time, <Custom_Field2>, count, total, percent
0 Karma

cmerriman
Super Champion

this should work:

index=ABC|bucket _time span=1d| stats count by errorNo _time|eventstats sum(count) as total by errorNo |eval percentage=(count/total)*100|chart values(percentage) by _time errorNo 

however the answer that @renjith.nair seems logical as well, foreach statements work wonders.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Does this help ?

index=your index|timechart span=10m count by error_no|addtotals row=true fieldname=_Total|foreach * [eval <<FIELD>> = '<<FIELD>>' * 100 / _Total] 
Happy Splunking!

goelli
Communicator

Helped for me - nice solution. Should be accepted answer 😉
Thank you very much.

0 Karma

vikram_m
Path Finder

Hello Renjith, the query when I used is not giving me % value instead it is giving me the same bin count as it provides with time chart.

can you please tell me what do I need to put for and is the same field name which we want count for ?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

you just execute the same query as a whole. Just change the indexname and if needed error_no to our error number. Don't change FIELD

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...