percentage

srinivasmanikan · ‎08-26-2019

i have a field called application_name it is indexing to Splunk for every 5 min. so if i run top command for getting the percentage it is giving the value, but the application_name are coming as duplicate with different values so i need to add them and give a percentage based on the time range

Sukisen1981 · ‎08-26-2019

    | top "error" by application_name
    | sort error
    | eventstats sum(count) as sum_count by error
    | eval perc=round((count/sum_count)*100,2)
|fields application_name,error,perc

Hi @srinivasmanikanta try this, we are a bit unable to understand your exact need, but this should set you on your way, tinker with the application_name and error for your exact requirements

Sukisen1981 · ‎08-28-2019

hi @srinivasmanikanta
Please accept the answer if it significantly helped resolve your issue or let us know if there are any more issues

diogofgm · ‎08-26-2019

Can you give more details on how is it duplicated but with different values? Also, how do you decide which time interval is considered for the calculation? Its the percentage calculated then regarding just the data in this interval or the entire select time of the search?
If you can show some example data and the expected output it will be easier to get an answer from anyone here.

------------
Hope I was able to help you. If so, some karma would be appreciated.

srinivasmanikan · ‎08-26-2019

index=**** |top "error" by application_name

application_name errors count percent

abc 0 24 92.307692
abc 1 2 7.692308
xyz 0 64 81.012658
xyz 2 7 8.860756

diogofgm · ‎08-26-2019

There is nothing wrong with the output of the command there. You are getting the percentage of each error by application_name. Meaning for application_name "abc" errors "0" appear 24 times making it 92,3% of the Total (again) by application_name and errors "1" appear 2 times making it 7,6% of the Total by application_name. you say its "duplicated" but its just because you are using "errors" by "application_name".
Whats the intended output you are looking for? Also, can you post some example?

------------
Hope I was able to help you. If so, some karma would be appreciated.

srinivasmanikan · ‎08-26-2019

i need to add the application_name value as all abc as one value and all xyz as one value

application_name errors count percent
abc 0, 24, 92.307692
abc 1, 2, 7.692308
xyz 0, 64, 81.012658
xyz 2, 7, 8.860756
this is what i am geeting
i want to add (abc + abc)application_name and i want to display the percentage, i hope you understand the request

diogofgm · ‎08-26-2019

Try this:
| top application_name

Otherwise, using your command |top "error" by application_name, if you just add/sum the different values for each application (abc+abc) and (xyz+xyz) you'll always get 100% percentage

------------
Hope I was able to help you. If so, some karma would be appreciated.

srinivasmanikan · ‎08-26-2019

ya i agree with you thats what i am asking is there any chance to get the correct percentage

srinivasmanikan · ‎08-26-2019

in this way i am not getting the error count

it is showing as
application_name count percent
abc,196,0.498575

Sukisen1981 · ‎08-26-2019

hmm the top command gives duplicates? Are you sure there are no leading / trailing white spaces in the application_name field.
Can you post your query for us to assist further?

srinivasmanikan · ‎08-26-2019

yes suksien there are no white spaces.

index= |top "error" by application_name

application_name errors count percent
abc 0, 24, 92.307692
abc 1, 2, 7.692308
xyz 0, 64, 81.012658
xyz 2, 7, 8.860756

percentage

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...