Splunk Search

How to display the percentage of total value?

rpradeep
Path Finder

I have a set of servers and their patch status against them in a file.

 Hostname   Patch_status
    server1 Patched
    server2 Pending
    server3 Patched
    server4 Pending
    server5 Pending
    server6 Patched
    server7 Pending
    server8 Patched
    server9 Pending
    server10    Pending

I would like to show a percentage value of Patched servers
In the above example, the percentage value should be 40%.
I have played with CHART, STATS, EVENTSTATs, etc but not able to break it. Can someone help me out.

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@rpradeep
Are you looking for this?

YOUR_SEARCH | stats count by Patch_status 
| eventstats sum(count) as total 
| eval perc = count/total*100

Here I have used eventstats for total count.
ref: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/eventstats

Sample Search:

| makeresults 
| eval data="server1@@Patched||server2@@Pending||server3@@Patched||server4@@Pending||server5@@Pending||server6@@Patched||server7@@Pending||server8@@Patched||server9@@Pending||server10@@Pending" 
| eval data=split(data,"||") 
| mvexpand data 
| eval Hostname=mvindex(split(data,"@@"),0),Patch_status=mvindex(split(data,"@@"),1) 
| table Hostname Patch_status 
| stats count by Patch_status 
| eventstats sum(count) as total 
| eval percent = count/total*100 | table Patch_status percent

if you want specific with Patch_status then add below search in above search.

| where Patch_status="Patched"

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@rpradeep
Are you looking for this?

YOUR_SEARCH | stats count by Patch_status 
| eventstats sum(count) as total 
| eval perc = count/total*100

Here I have used eventstats for total count.
ref: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/eventstats

Sample Search:

| makeresults 
| eval data="server1@@Patched||server2@@Pending||server3@@Patched||server4@@Pending||server5@@Pending||server6@@Patched||server7@@Pending||server8@@Patched||server9@@Pending||server10@@Pending" 
| eval data=split(data,"||") 
| mvexpand data 
| eval Hostname=mvindex(split(data,"@@"),0),Patch_status=mvindex(split(data,"@@"),1) 
| table Hostname Patch_status 
| stats count by Patch_status 
| eventstats sum(count) as total 
| eval percent = count/total*100 | table Patch_status percent

if you want specific with Patch_status then add below search in above search.

| where Patch_status="Patched"

Thanks

rpradeep
Path Finder

Thanks @kamlesh_vaghela , this is what I am looking for but still I need to display the perc value instead of Patched count.
Please help with that too.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@rpradeep

I've updated the answer and added | table Patch_status percent .

Here, percent field is the percentage field. If you want to add % sign then add below eval.

| eval percent=percent."%"

0 Karma

rpradeep
Path Finder

Perfect.
Thanks a lot @kamlesh_vaghela.
I have been using stats/chart, etc in place of table. Table solves my requirement.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Glad to help you @rpradeep

Happy Splunking
:)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...