- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I search the count of events and use that v...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I search the count of events and use that value to calculate another field?
I wish to count the number of events and then use that value to calculate something else.
I tried something like this:
index=dotcom sourcetype=dotcom_access_log status != 2* pid=www.abc.com |
eventstats count as todayTotal |stats count(status) as todayValue by status | eval percent = (todayValue/todayTotal)*100
But todayTotal comes as empty when I use it in eval (though the bold line successfully gets the value of todayTotal).
Please suggest how can i use the value of "total number of events" (todayTotal in the case above).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=dotcom sourcetype=dotcom_access_log status != 2* pid=www.abc.com|stats count(status) as todayValue by status | eventstats sum(todayValue) AS todayTotal | eval percent = (todayValue/todayTotal)*100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Move your eventstats after your stats command and change it to | eventstats sum(todayValue) as todayTotal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this give you what you're looking for?
index=dotcom sourcetype=dotcom_access_log pid=www.abc.com | stats count as total count(eval(status!="2*")) as statuscount | eval percent=statuscount/total*100
If you want the percentage for all status > 200 then try this
index=dotcom sourcetype=dotcom_access_log pid=www.abc.com status>299 | stats count by status | stats sum(count) as value by status | eventstats sum(value) as total | eval percent=value/total*100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the search is losing the field todayTotal when it do the stats command by status. I think the search should do the stats by status, todayTotal which will also keep the todayTotal field in the results so you can calculate the percent field.
...|stats count(status) as todayValue by status,todayTotal | eval percent = (todayValue/todayTotal)*100
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
