Splunk Search

Stats count as a percentage as the total?

christopherutz
Path Finder

I have a search which I am using stats to generate a data grid. Something to the affect of

Choice1 10
Choice2 50
Choice3 100
Choice4 40

I would now like to add a third column that is the percentage of the overall count. So something like

Choice1 10 .05
Choice2 50 .25
Choice3 100 .50
Choice4 40  .20

I suspect I need to use a subsearch for this because each row now depends on the total count but I am not exactly sure how to accomplish this. Any help would be greatly appreciated.

Labels (1)
Tags (3)
1 Solution

southeringtonp
Motivator

You can do this without a subsearch - take a look at the eventstats command.

View solution in original post

southeringtonp
Motivator

You can do this without a subsearch - take a look at the eventstats command.

acdevlin
Communicator

For the earlier question, you could probably do something like this:

... | eventstats count as "totalCount" | eventstats count as "choiceCount" by choice  | eval percent=(choiceCount/totalCount)*100 | stats values(choiceCount), values(percent) by choice

Usually, you can avoid eventstats altogether and just use the "top" command (http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/Top ) like so:

... | top choice limit=0

haraksin
Path Finder

In addition to this, in order to avoid using multiple stats stanzas, I use this type of structure with a stats then an eval:

| search (message="Polling" OR message="No data" OR message="503" OR message="Pushing") 
| timechart count(eval(message="Polling")) as Total_Polls count(eval(message="No data")) as Dataless_Polls count(eval(message="503")) as Error_Polls count(eval(message="Pushing")) as Successful_Polls 
| eval Percent_Successful=(((Successful_Polls)/Total_Polls)*100) 
| fields _time Percent_Successful

This allows you to just compute one stats function and then evaluate any combination of percentages across your dataset. Of course this is a timechart, so you can just replace this with stats to get the desired functionality.

raoul
Path Finder

Maybe I am being dense, but the eventstats documentation is baffling and I cannot get it to calculate percentages as asked in the question.

Any chance of a worked example?

klaurea
Engager

The  "top" example worked for me instead. eventstats didn't make sense

0 Karma

christopherutz
Path Finder

Thanks, this is exactly what I needed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...