- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- View percentage with count
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm pretty new to Splunk and I'm trying out different things to challange myself. I completed the fundementals 1 course and started testing on some Linux systems. I'm trying to find unhealthy systems and sort them by "problem". That part works right now, but now I want to show the percentages of the problems.
index=Linux HCS "NOT OK" | table HCS host | search host="" | stats count by HCS
How should I go about summing everything up and getting all percetages based on different problems?
In the course they use top [field] limit=10 to view percentages, but in this case, that's not working.
Can someone help me out a bit?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I think your problem is that you're doing the stats before doing the top.
Try it like that
index=Linux HCS "NOT OK"
| table HCS host
| search host="o*" host!="osas*"
| top HCS limit=10
You will have the top 10 of the HCS with the count and the percentage 🙂
Let me know if it works !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I think your problem is that you're doing the stats before doing the top.
Try it like that
index=Linux HCS "NOT OK"
| table HCS host
| search host="o*" host!="osas*"
| top HCS limit=10
You will have the top 10 of the HCS with the count and the percentage 🙂
Let me know if it works !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, that works perfectly. Could you maybe eleborate why stats should not be before top?
I'm trying to learn as much as possible so I would appreciate that a lot!
Also, is there a way to be more interactive with the community for small questions like this? Something like a chatroom or something?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because for this case stats count and top are doing the same thing, so you have to use only one of them.
The difference is that top is only doing a count and the give the percentage but stats can do a count, sum, average, first or last value... (look at this documentation : https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Stats#Stats_function_options)
And for your second question, we have a Slack and you can join us : splk.it/slack
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot! Really helpfull
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
