Re: How to get count and percentage of targets dis...

bryceweb22 · ‎06-03-2019

I am trying to create a dashboard that displays the count and percentage based off HTTP and HTTPS request types.

martynoconnor · ‎06-03-2019

So when you say you can see HTTPS and HTTP request types - is the field for request type being extracted by Splunk? If it's just present in the raw event data but not extracted, then you'll need to first extract it. You can check on the list of events on the left hand side of results to see if it has been extracted.

Can you also show me an example (redacting out any sensitive data) of each request type from your events? That will help me write you a more focused search if the field isn't being extracted normally.

bryceweb22 · ‎06-03-2019

I am getting no results found, but I am looking through the logs and can clearly see that there are HTTP and HTTPS request types.

martynoconnor · ‎06-03-2019

Hi there,

You can modify this search to meet your needs. I used Splunk's internal logs as an example:

index=_internal sourcetype=splunkd log_level=*
| eventstats count as totalcount 
| chart sparkline count,first(totalcount) as totalcount by log_level 
| eval percentage=round(count/totalcount*100,2)."%"

How to get count and percentage of targets displayed in a dashboard based off of request types?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases