Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I show the percentage of events that match a criteria?

ashishhsihsa
New Member
‎10-10-2017 09:05 AM

I have the following query which provides me results for every 1 hour and for each mne as single row

index=N sourcetype=APP earliest=-24h (time>5 AND (id=111111 OR id=222222))

| rex field=_raw "^(?\d{4}-\d{2}-\d{2} \d{2}).*time*"
| eval mne=case(id=111111, "FIRST", id=222222,"SECOND") 
| eval resp=case(time>=5 AND time<=2000, "     0 - 2 seconds", time>2000 AND time<=4000, "    2 - 4 seconds", time>4000 AND time<=6000, "   4 - 6 seconds", time>6000 AND time<=8000, "  6 - 8 seconds", time>8000 AND time<=10000, " 8 - 10 seconds", time>10000, "> 10 seconds") 
| eval time_mne=time+":00  "+mne
| chart count over time_mne by resp| addtotals |sort time_mne desc

Output is displayed as - 

time_mne                                |    0-2 seconds   |             2-4 seconds       | Total
2017-10-09 11:00 FIRST                  |      23          |                   12          |  126
2017-10-09 11:00 SECOND                 |       21         |                    16         |   120
2017-10-09 10:00 FIRST                  |       20         |                    18         |  128
2017-10-09 10:00 SECOND                 |       22         |                    15         |  124

What I want to do is - add a percentage for one of the columns based on total E.g.: What percentage of total are under 2-4 seconds ?
How do I do it?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎10-10-2017 11:18 AM

try adding |eval under2_perc=round('0-2 seconds'/Total*100,2)
I'm going to assume, based on the question, that you're looking to divide 0-2 seconds column by Total column. Splunk might have a problem with the 0-2 seconds column name, so you might need to rename it before the eval.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎10-10-2017 11:18 AM

try adding |eval under2_perc=round('0-2 seconds'/Total*100,2)
I'm going to assume, based on the question, that you're looking to divide 0-2 seconds column by Total column. Splunk might have a problem with the 0-2 seconds column name, so you might need to rename it before the eval.

0 Karma
Reply
Solved! Jump to solution

ashishhsihsa
New Member
‎10-10-2017 12:08 PM

How do i display this new variable as a column adjacent to "Total" column ?

0 Karma
Reply
Solved! Jump to solution

ashishhsihsa
New Member
‎10-10-2017 12:13 PM

Never mind got it !!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...