- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use eval to find percentage for field value...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use eval to find percentage for field values?
I have values for a field named action, block, passed, and alerted. How would I go about creating a search to looks for the percentage of blocked to passed/alerted events?
I have the basic search of
index=foo
| stats count by src, action
| stats list(action) as Action, list(count) as count, sum(count) as Total by src
and was thinking eval could be used in some way
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sample query:
| makeresults count=1000
| eval src="A.A.A.A#B.B.B.B#C.C.C.C#D.D.D.D"
| eval action="pass#fail"
| eval src=mvindex(split(src,"#"),random() % 3)
| eval action=mvindex(split(action,"#"),random() % 2)
| chart limit=0 count by src action
| eval failPerc=round(fail / ( fail + pass ) * 100,2)
recommend:
index=foo action=fail OR action=pass
| chart limit=0 useother=f usenull=f count by src action
| eval failPerc=round(fail / ( fail + pass ) * 100,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're definitely on the right track - I like doing something like this for readability, as you clearly create a variable for pass and fail, and set it to a bool. Then, you can just sum them by whatever you want (I did src in this case), then do a simple divide eval command to get the percent.
index=foo
| stats count by src, action
|eval pass=if(action="pass", 1, 0)
|eval fail=if(action="fail", 1, 0)
|stats sum(pass) as numPass, sum(fail) as numFail by src
|eval failPerc=numFail/(numFail + numPass) * 100
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx for the search. The issue that I'm having with the search you suggested is that the count of each action is reduced to a sum of the count which is just '1' and not the total count,. For example, I have IPs that are into the hundreds for allows, yet when I run the search they're reduced to one pass/fail.
I changed the last line to | stats count(pass) as numPass, count(fail) as numFail by src and the count was more than one, but way less then the true count. It's like the eval isn't being applied to every event.
Thx
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
