- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Calculate percentage
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have this query:
index=dm counter="Short Equity Loop Duration" | timechart span=1h max(Value),median(Value) by counter | rename "max(Value): Short Equity Loop Duration" AS "Max Values", "median(Value): Short Equity Loop Duration" AS "Median Values"
The total events count is 86,397 - I would like to add a percentage field that count how many events where value below 1000, more then 1000 to 2000, 2001 to 3000 etc...
can any one help?
Thanks,
Rotem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this for "Last 24 hours"
Your base search here with no other commands (pipes)| bucket Value span=1000 | top limit=0 Value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this for "Last 24 hours"
Your base search here with no other commands (pipes)| bucket Value span=1000 | top limit=0 Value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you are throwing away your timechart then? I do not understand. Give us some sample events (or intermediary events that you know are good for you) and a mockup of desired final output (stats tab, not visualization tab).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the answer - here is an example event
07/06/2016 06:30:42.149 +0000
collection=DealMonitor
object=DealMonitor
counter="Short Equity Loop Duration"
instance=0
Value=6476
What I'm trying to achieve is that I have time chart (24 hours) that span 1h and show percentages of values that were between:
1-1000
1001-2000
2001-3000
3000.....
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=dm counter="Short Equity Loop Duration"
| bin span=1h _time as time
| eventstats count(eval(Value<1000)) as cntBelow count(eval(Value>=1000 AND Value<2001)) as cntBetween count(eval(Value>2000)) as cntAbove count as Total by time counter
| eval percBelow=tostring(cntBelow/Total*100, "commas"), "%")
| eval percBetween=tostring(cntBetween/Total*100, "commas"), "%")
| eval percAbove=tostring(cntAbove/Total*100, "commas"), "%")
| chart values(cnt*) as * (values(perc*) as * over time by counter
| eval time=strftime(time, "%x %X")
| rename ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=dm counter="Short Equity Loop Duration"
| eval low=if(Value<1000,low+1,low)
| eval lowperc=(low/count)*100
| eval midlow=if(1000<=Value AND Value<2000,midlow+1,midlow)
| eval midlowperc=(midlow/count)*100
...
| timechart span=1h values(lowperc) AS LowPercentage, values(midlowperc) AS MidLowPercentage, ... max(Value),median(Value) by counter
| rename "max(Value): Short Equity Loop Duration" AS "Max Values", "median(Value): Short Equity Loop Duration" AS "Median Values
Add the other possibilities where I added ...
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
