I have a set of servers and their patch status against them in a file.
Hostname Patch_status
server1 Patched
server2 Pending
server3 Patched
server4 Pending
server5 Pending
server6 Patched
server7 Pending
server8 Patched
server9 Pending
server10 Pending
I would like to show a percentage value of Patched servers
In the above example, the percentage value should be 40%.
I have played with CHART, STATS, EVENTSTATs, etc but not able to break it. Can someone help me out.
@rpradeep
Are you looking for this?
YOUR_SEARCH | stats count by Patch_status
| eventstats sum(count) as total
| eval perc = count/total*100
Here I have used eventstats
for total count.
ref: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/eventstats
Sample Search:
| makeresults
| eval data="server1@@Patched||server2@@Pending||server3@@Patched||server4@@Pending||server5@@Pending||server6@@Patched||server7@@Pending||server8@@Patched||server9@@Pending||server10@@Pending"
| eval data=split(data,"||")
| mvexpand data
| eval Hostname=mvindex(split(data,"@@"),0),Patch_status=mvindex(split(data,"@@"),1)
| table Hostname Patch_status
| stats count by Patch_status
| eventstats sum(count) as total
| eval percent = count/total*100 | table Patch_status percent
if you want specific with Patch_status
then add below search in above search.
| where Patch_status="Patched"
Thanks
@rpradeep
Are you looking for this?
YOUR_SEARCH | stats count by Patch_status
| eventstats sum(count) as total
| eval perc = count/total*100
Here I have used eventstats
for total count.
ref: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/eventstats
Sample Search:
| makeresults
| eval data="server1@@Patched||server2@@Pending||server3@@Patched||server4@@Pending||server5@@Pending||server6@@Patched||server7@@Pending||server8@@Patched||server9@@Pending||server10@@Pending"
| eval data=split(data,"||")
| mvexpand data
| eval Hostname=mvindex(split(data,"@@"),0),Patch_status=mvindex(split(data,"@@"),1)
| table Hostname Patch_status
| stats count by Patch_status
| eventstats sum(count) as total
| eval percent = count/total*100 | table Patch_status percent
if you want specific with Patch_status
then add below search in above search.
| where Patch_status="Patched"
Thanks
Thanks @kamlesh_vaghela , this is what I am looking for but still I need to display the perc value instead of Patched count.
Please help with that too.
@rpradeep
I've updated the answer and added | table Patch_status percent
.
Here, percent
field is the percentage field. If you want to add % sign then add below eval.
| eval percent=percent."%"
Perfect.
Thanks a lot @kamlesh_vaghela.
I have been using stats/chart, etc in place of table. Table solves my requirement.
Glad to help you @rpradeep
Happy Splunking
:)