Hi,
How would I chart a percentage of values? I want to count the number of events that match a criteria, and then display in a chart the percentage that match a certain criteria.
Try
yoursearchhere |
stats count by criteria |
eventstats sum(count) as totalCount |
eval percentage=round(count*100/totalCount,1) |
fields - count totalCount |
chart max(percentage) by criteria
In the search above max(percentage)
is really sort of a no-op, as there is only one percentage for each criterion. But you can't just give a field name for the Y argument, you have to give a function...
Try
yoursearchhere |
stats count by criteria |
eventstats sum(count) as totalCount |
eval percentage=round(count*100/totalCount,1) |
fields - count totalCount |
chart max(percentage) by criteria
In the search above max(percentage)
is really sort of a no-op, as there is only one percentage for each criterion. But you can't just give a field name for the Y argument, you have to give a function...
And, just for completeness...eventstats is discussed in http://docs.splunk.com/Documentation/Splunk/4.3.2/User/UseReportingCommands, and the reference topic for it is http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Eventstats.
eventstats calculates a statistic (same functions as stats) - and then adds the results as a field to every event. Just do this and you will be able to see it better:
yoursearchhere |
stats count by criteria |
eventstats sum(count) as totalCount
The totalCount field is the same in every event, because it is the overall total.
Thanks. Looks like it did the trick - I'm looking at my training manuals and reference sheets, and I don't see eventstats listed anywhere. What does that do?