Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate a percentage from three events

swilson91
New Member
‎03-08-2013 07:01 AM

Hi,

I'm hoping you can help me I currently have a graph that have 3 events lets call them event1, event2 and event3. I want to somehow in the search total these three values and find out the percentage of each of them for example

event1 event2 event3
50 70 20

The searches I have tried so far have not worked I managed to get the total I think but not sure how to find out the percentage of each of the values

"index=test| timechart latest(event1) latest(event2) latest(events) | eventstats count AS total"

Any help would be much appreciated

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-11-2013 05:31 AM

Try something like this if you have a fixed number of events:

... | timechart avg(event1) as event1 avg(event2) as event2 avg(event3) as event3 | addtotals | eval event1 = event1/100*Total | eval event2 = event2/100*Total | eval event3 = event3/100*Total | fields - Total

If you have a large or unknown number of events you can use the http://splunk-base.splunk.com/apps/76026/scale-command to do some wildcard-enabled maths:

... | timechart avg(event*) as event* | addtotals | scale field=Total pattern=^event | scale scale=0.01 pattern=^event round=1 | fields - Total
0 Karma
Reply

swilson91
New Member
‎03-11-2013 05:16 AM

Hi,

My raw data is like:

event1 event2 event3
50 70 20
50 80 20
30 70 20
50 70 10

I want to total the three events and find out what percentage each of them are of the total for example

event1 event2 event3
35.7% 50.0% 14.3%
33.3% 53.3% 13.3%
25.0% 58.3% 16.7%
38.5% 53.8% 7.7%

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-09-2013 04:27 AM

What's your raw data, and what do you want to see in the end? I'm a bit confused by counting the number of rows put out by the timechart in the eventstats.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-08-2013 07:34 AM

You can pipe to a stats and do some eval-in'.

index=test | timechart latest(event1) as evt1 latest(event2) as evt2 latest(events) as evt| eventstats count AS total latest(evt*) as evt*|eval evtperc=evt/total*100|eval evt2perc=evt2/total*100|eval evt3perc=evt3/total*100

0 Karma
Reply

swilson91
New Member
‎03-08-2013 07:56 AM

Like this?

index=test| timechart latest(event1) as evt1 latest(event2) as evt2 latest(events) as evt| eventstats count AS total latest(evt*) as evt*| eval evtperc=evt/total*100|eval evt2perc=evt2/total*100|eval evt3perc=evt3/total*100 | fields evtperc, evt2perc, evt3perc

When I run this it doesn't show the correct fields on the graph?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...