Splunk Search

Can you help me with a stats count that returns a percentage?

jip31
Motivator

Hi,

I use the search below in order to count event number.

I want to do the same calculation, but in percent

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit') 
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)  
| stats dc(Degradation_Time) as Total by File_Name 
| sort -Total limit=10

Could you help me please

0 Karma
1 Solution

jip31
Motivator

My result is the total of degradation time by File_Name. The total is a integer number
Now I want the same in percent
I have done this but I have not the exactly the same result
The first field name in the integer panel is in second position in the percent panel :

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
| stats count by File_Name
| eventstats sum(count) as Total
| eval Percent=round((count/Total)*100,1). " %"
| table File_Name Percent
| sort -Percent limit=10

View solution in original post

0 Karma

jip31
Motivator

My result is the total of degradation time by File_Name. The total is a integer number
Now I want the same in percent
I have done this but I have not the exactly the same result
The first field name in the integer panel is in second position in the percent panel :

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
| stats count by File_Name
| eventstats sum(count) as Total
| eval Percent=round((count/Total)*100,1). " %"
| table File_Name Percent
| sort -Percent limit=10

0 Karma

astatrial
Contributor

What do you mean by "the same calculation in percent" ?
What is your total ? The count of distinct Degradation_Time from all files ? The count of Degradation_Time values from the total number of Degradation_Time ?

Regards ,

0 Karma

jip31
Motivator

it was just an issue in my stats count I close the topic

0 Karma

cvssravan
Path Finder

Hi, you can try top command(by default it will give 10 results, so I haven't used limit):

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
2. | eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
3. | eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)

4. | top Degradation_Time as Total by File_Name

0 Karma

cvssravan
Path Finder

If you want to consider distinct count as well, try this:

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
2. | eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
3. | eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)

4. | stats dc(Degradation_Time) as Total by File_Name
5. | top Total by File_Name

0 Karma

jip31
Motivator

it s not want i want
In my query I count the number of degradation time by file name
I want the same thing in percent.....

0 Karma

cvssravan
Path Finder

Assuming that you are looking for sum(Degradation_Time) by file and then percentage, not count. See my answer below:

eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
| eval File_Name=coalesce(Nom_du_fichier,File_Name,Dateiname,Nombre_de_archivo)
| stats sum(Degradation_Time) as Degradation_Time_By_File by File_Name
| appendcols
[search eventtype="Start" AND (NOT host=E* AND NOT host=I*)
| eval Degradation_Time=coalesce('Durée de la dégradation','Degradation Time','Tiempo de degradación','Beeinträchtigungszeit')
| stats sum(Degradation_Time) as Total_Degradation_Time]
| filldown Total_Degradation_Time
| eval Percent_Degradation_Time_By_File =(Degradation_Time_By_File*100)/Total_Degradation_Time

Hope it works

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...