Solved: show percentage as a new field

ranjitbrhm1 · ‎03-07-2018

Hello All, I have a question for you. We have data where the user want to calculate the number of events that have occured for an event name. so i write a query (Just an example)
index=_internal | stats count(sourcetype) as number by name
and i get a result like this
name number
asdf 10
ghjoi 15
kdkd 20

i want to have a third field somehow where it shows that asdf occured 30% ghjoi occured 50% and kdkd occured 20%

name number final percentage
asdf 10 30
ghjoi 15 50
kdkd 20 20

how do i achieve this?

thanks

harsmarvania57 · ‎03-07-2018

Hi @ranjitbrhm1,

Based on example you have given , can you please try like this

index=_internal | stats count(sourcetype) as number by name
| eventstats sum(number) AS total
| eval percentage=(number/total)*100

View solution in original post

harsmarvania57 · ‎03-07-2018

Hi @ranjitbrhm1,

Based on example you have given , can you please try like this

index=_internal | stats count(sourcetype) as number by name
| eventstats sum(number) AS total
| eval percentage=(number/total)*100

ranjitbrhm1 · ‎03-07-2018

absolutely brilliant. it worked like a charm. thanks XOXO

show percentage as a new field

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life