Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find top events contributing to a total of X% of the events?

dkikan
Engager
‎02-07-2017 12:51 AM

Hi, I can find the top events but I want to see all those events that are contributing say 80% of the total. e.g. there are 25k events and the top 10 events contribute to 96% of the total. I want to see the only events that contribute to 80% of the total rather than 96% as retrieved in the results. I have read related questions/answers but couldn't get a clue how to do it. Anyone please?

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎02-07-2017 07:45 AM

Give this a try. Assuming there is a unique identifier field call identifier based on which the top is calculated.

index=foo sourcetype=bar [ search index=foo sourcetype=bar | stats count by identifier | sort 0 -count | eventstats sum(count) as total | eval perc=round(count*100/total) | accum perc | where perc<=80]
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...