Splunk Search

Percentages of table totals

TCK101
New Member

Hi

I have a table top 10 ( could be top15)

So there table has a the top 10 most popular projects by count split by status

however I want to get the status percentage to be the % of the individual project status not as a percentage of the entire table

| top 10 STATUS by projects 
| sort -count 
| eventstats sum(count) as TotalNumber
| eval PercentOfTotal = round(100 * count / TotalNumber,2). "%"    
| stats  list(STATUS) as "STATUS", list(count) as "Count", list(PercentOfTotal) as "Percent", sum(count) as "Total" by projects 
| sort -Total  | addinfo | eval rank=1 | accum rank   | sort +num(rank)  | head (rank <=10)  
| fields rank, projects , STATUS, Count,Percent, Total
| eval STATUS=mvindex(STATUS,0,9)
| eval Count=mvindex(Count,0,9)
| eval Percent=mvindex(Percent,0,9)
Tags (2)
0 Karma

nabeel652
Builder

Do you need something like this?

| top 10 STATUS by projects | sort - projects count  | eventstats sum(count) as ProjectTotal by projects | eval ProjectPercent = round(count/ProjectTotal*100,2)."%" | table projects STATUS count ProjectPercent
0 Karma

nabeel652
Builder

Can you please explain by giving the data in table entries instead of the SPL as without data it's hard to visualise what you are asking for.

0 Karma

TCK101
New Member

This is was I am after - the above Source I provided was giving the percent of the OVERALL count totals of the 3 projects added together
- I was the percent per rank / project

rank project status count percent total

1 project1 Initial 10 50% 20
Started 8 40%
Completed 2 10%

2 Project 2 Initial 5 50% 10
Started 4 40%
Completed 1 10%

3 Project 3 Initial 4 50% 8
Started 4 40%
Completed 0 10%

0 Karma

oda
Communicator

I do not understand the image, do you have any samples?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...