- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- show percentage as a new field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All, I have a question for you. We have data where the user want to calculate the number of events that have occured for an event name. so i write a query (Just an example)
index=_internal | stats count(sourcetype) as number by name
and i get a result like this
name number
asdf 10
ghjoi 15
kdkd 20
i want to have a third field somehow where it shows that asdf occured 30% ghjoi occured 50% and kdkd occured 20%
name number final percentage
asdf 10 30
ghjoi 15 50
kdkd 20 20
how do i achieve this?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ranjitbrhm1,
Based on example you have given , can you please try like this
index=_internal | stats count(sourcetype) as number by name
| eventstats sum(number) AS total
| eval percentage=(number/total)*100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ranjitbrhm1,
Based on example you have given , can you please try like this
index=_internal | stats count(sourcetype) as number by name
| eventstats sum(number) AS total
| eval percentage=(number/total)*100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
absolutely brilliant. it worked like a charm. thanks XOXO
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
