- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I show the percentage of events that match...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following query which provides me results for every 1 hour and for each mne as single row
index=N sourcetype=APP earliest=-24h (time>5 AND (id=111111 OR id=222222))
| rex field=_raw "^(?\d{4}-\d{2}-\d{2} \d{2}).*time*"
| eval mne=case(id=111111, "FIRST", id=222222,"SECOND")
| eval resp=case(time>=5 AND time<=2000, " 0 - 2 seconds", time>2000 AND time<=4000, " 2 - 4 seconds", time>4000 AND time<=6000, " 4 - 6 seconds", time>6000 AND time<=8000, " 6 - 8 seconds", time>8000 AND time<=10000, " 8 - 10 seconds", time>10000, "> 10 seconds")
| eval time_mne=time+":00 "+mne
| chart count over time_mne by resp| addtotals |sort time_mne desc
Output is displayed as -
time_mne | 0-2 seconds | 2-4 seconds | Total
2017-10-09 11:00 FIRST | 23 | 12 | 126
2017-10-09 11:00 SECOND | 21 | 16 | 120
2017-10-09 10:00 FIRST | 20 | 18 | 128
2017-10-09 10:00 SECOND | 22 | 15 | 124
What I want to do is - add a percentage for one of the columns based on total E.g.: What percentage of total are under 2-4 seconds ?
How do I do it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try adding |eval under2_perc=round('0-2 seconds'/Total*100,2)
I'm going to assume, based on the question, that you're looking to divide 0-2 seconds column by Total column. Splunk might have a problem with the 0-2 seconds column name, so you might need to rename it before the eval.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try adding |eval under2_perc=round('0-2 seconds'/Total*100,2)
I'm going to assume, based on the question, that you're looking to divide 0-2 seconds column by Total column. Splunk might have a problem with the 0-2 seconds column name, so you might need to rename it before the eval.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do i display this new variable as a column adjacent to "Total" column ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never mind got it !!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
