Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate the percentage for top X values of a field per day over time

sranga
Path Finder
‎04-20-2010 08:37 PM

Hi

I was wondering if it is possible to generate a chart based on the following criteria: “Display the top X percentage values of a particular field on a daily basis over time”.

Say I have the following log statements and I want to display the top 2 percentage values:

Day-1 

id=10,name=Green,type=req1,message=xyz  
id=11,name=Blue,type=req2,message=something  
id=12,name=Mary,type=req2,message=nothing  
id=13,name=Rice,type=req3,message=test  
id=14,name=Black,type=req4,message=abc  
id=15,name=First,type=req10,message=eee  
id=152,name=Bob,type=req22,message=ooo  
id=154,name=White,type=req5,message=ppp

Day-2 

id=110,name=X,type=req10,message=xyz  
id=111,name=A,type=req10,message=something  
id=121,name=Y,type=req10,message=nothing  
id=131,name=ZZ,type=req10,message=test  
id=141,name=TT,type=req4,message=abc  
id=151,name=RR,type=req5,message=eee  
id=1521,name=QQ,type=req22,message=ooo  
id=1541,name=EW,type=req5,message=ppp

For Day-1, the chart would display req2 & req3 and their respective percentages – 25% for both
For Day-2, the chart would display req10 & req5 and 50% & 25% respectively
The percentage/values could be different between days. Thanks for your help.

Ranga

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-20-2010 10:07 PM 
... | bucket _time span=1d | top 2 type by _time

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-20-2010 10:07 PM 
... | bucket _time span=1d | top 2 type by _time
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-23-2010 03:08 AM

I'm afraid I don't really understand, but it seems to me that the top two by percentage would be the same as the top two by number. Or do you just mean ... | bucket _time span=1d | top 2 message by _time,type

0 Karma
Reply
Solved! Jump to solution

sranga
Path Finder
‎04-22-2010 05:38 PM

In essence, this is what I'm trying to do:
... | bucket _time span=1d | chart eval((count(eval(message!="xxx")) / count) * 100) as Percentage over type by _time | sort Percentage | head 2

0 Karma
Reply
Solved! Jump to solution

sranga
Path Finder
‎04-22-2010 05:18 PM

Thanks. This works. I missed mentioning that I need to base the percentage calculation on a field value. So, for the example given in the question, how do I compute the top 2 values of the percentage of type fields whose message fields have the value something.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...