Splunk Search

Percentage for the daily stats

kirangurram
Explorer

Dear Excepts ,
Need your help to calculate percentage for daily stats.

I am using below query to calculate daily stats and their totals. Need your help come with percentage calculation for each uri_path as shown in "Excepted Results". your help would be much appreciated.

current Query :
index=test sourcetype=123:abc:abc tag::source=AP
uri_path="/url/url1" OR uri_path="/url/url2"
OR uri_path="/url/url3" OR uri_path="/url/url4"
| timechart span=1d count by "uri_path" limit=0 | addtotals

Current Results :
_time /url/url1 /url/url2 /url/url3 /url/url4 Total
2019-08-29T00:00:00.000+0000 100 100 100 100 400
2019-08-30T00:00:00.000+0000 100 100 100 100 400
2019-08-31T00:00:00.000+0000 100 100 100 100 400
2019-09-01T00:00:00.000+0000 100 100 100 100 400
2019-09-02T00:00:00.000+0000 100 100 100 100 400

Excepted Results :
_time /url/url1 /url/url2 /url/url3 /url/url4 Total
2019-08-29T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-08-29 25% 25% 25% 25% 25%
2019-08-30T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-08-30 25% 25% 25% 25% 25%
2019-08-31T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-08-31 25% 25% 25% 25% 25%
2019-09-01T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-09-01 25% 25% 25% 25% 25%
2019-09-02T00:00:00.000+0000 100 100 100 100 400
Percentage for 2019-09-02 25% 25% 25% 25% 25%

Tags (2)
0 Karma

kirangurram
Explorer

Any other suggestions from anyone else ?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If your URLs are in a predictable format, then you could do something like this:

your search
| foreach '/url*' [ |eval pct_<<FIELD>> = round(100*<<FIELD>>/Total,0)]
0 Karma

kirangurram
Explorer

@DalJeanis , URLs are not in predictable format. Is it possible to use uri_path in the query to come-up with expected results ?

I tried below query , it didnt work.

index=test sourcetype=123:abc:abc tag::source=AP
uri_path="/url/url1" OR uri_path="/url/url2"
OR uri_path="/url/url3" OR uri_path="/url/url4"
| timechart span=1d count by "uri_path" limit=0 | addtotals
| foreach 'uri_path' [ |eval pct_uri_path = round(100*pct_uri_path/Total,0)]

For testing purpose , I also tried below query. it didnt work. I am getting same output which was printed in my previous post as "Current Results"

index=test sourcetype=123:abc:abc tag::source=AP
uri_path="/url/url1" OR uri_path="/url/url2"
OR uri_path="/url/url3" OR uri_path="/url/url4"
| timechart span=1d count by "uri_path" limit=0 | addtotals
| foreach '/url*' [ |eval pct_url = round(100*pct_url/Total,0)]

0 Karma

kirangurram
Explorer

@DalJeanis , Please advice if you have any feedback for my previous post.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...