Splunk Search

Can you help me do an eval for a percentage of two values in an Xyseries?

TCK101
New Member

I have my derived tables

| stats count by breached region 
| xyseries region breached  count

REGION NO YES
US 100 25
EU 200 50

I want to do an eval for the percentage of breached as a new column after YES
any ideas?

Tags (3)
0 Karma
1 Solution

niketn
Legend

@TCK101 instead of using stats followed by xyseries, you can get the same output by using stats with eval. The addtotal command will create a Total field with the total of Yes and No. Then optional foreach can be used to apply template eval (or else you can write two separate evals to calculate Yes % and No %. Try the following search and confirm!

 <yourCurrentSearch>
| stats count(eval(breached=="Yes")) as "Yes" count(eval(breached=="No")) as "No" by region
| addtotals
| foreach "Yes", "No" 
    [| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)] 
| table region "* %"

Following is a run anywhere example based on Splunk's _internal index ( I have reduced the number of results to have the components with both Fail % and Success %):

index=_internal sourcetype=splunkd 
| stats count(eval(log_level=="INFO")) as "SUCCESS" count(eval(log_level!="INFO")) as "FAIL" by component 
| search SUCCESS>0 AND FAIL>0 
| addtotals 
| foreach SUCCESS, FAIL 
    [| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)] 
| sort - "FAIL %" 
| table component "* %"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @tck101

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma

niketn
Legend

@TCK101 instead of using stats followed by xyseries, you can get the same output by using stats with eval. The addtotal command will create a Total field with the total of Yes and No. Then optional foreach can be used to apply template eval (or else you can write two separate evals to calculate Yes % and No %. Try the following search and confirm!

 <yourCurrentSearch>
| stats count(eval(breached=="Yes")) as "Yes" count(eval(breached=="No")) as "No" by region
| addtotals
| foreach "Yes", "No" 
    [| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)] 
| table region "* %"

Following is a run anywhere example based on Splunk's _internal index ( I have reduced the number of results to have the components with both Fail % and Success %):

index=_internal sourcetype=splunkd 
| stats count(eval(log_level=="INFO")) as "SUCCESS" count(eval(log_level!="INFO")) as "FAIL" by component 
| search SUCCESS>0 AND FAIL>0 
| addtotals 
| foreach SUCCESS, FAIL 
    [| eval "<<FIELD>> %"=round((<<FIELD>>/Total)*100,2)] 
| sort - "FAIL %" 
| table component "* %"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

rashi83
Path Finder

Hi there,
I have a similar situation , need to calculate percentage for the below table -
index=x | xyseries hostname compName status

hostname , Comp1 , Comp2, Comp3 , Comp4
x Passed Failed Passed Failed
y Failed Passed Passed Passed

I need another col where percentage of is calculated like (Passed/Passed+Failed)*100 ..how do we achieve it?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...