Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to display the percentage of tickets sold based on a conditional search string?

maximusdm
Communicator
‎12-16-2016 07:03 AM

Splunk newbie here so please bear with me.
Given the table/records below, how can I build a bar chart with the percent of tickets sold based on a search string?
For instance, if string = "Metallica" then sum up 3 + 1 = 4 and calculate the percentage of 10 sold tickets total.
For instance, if string = "Metallica Cover" then 1 is the total and calculate the percentage of 10 total.

Tickets           Sold

Metallica           3
Metallica Cover      1
U2                 1
Soundgarden       1
Britney Spears     0
U2                 2
Metallica           2

I managed to count the number of entries of each Ticket but what I need is to calculate the number of tickets sold, so the query below is wrong:

 | eval tickets=Tickets | replace
 *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden*
 with Soundgarden, *Britney*Spears*
 with "Britney Spears" in tickets | top
 limit=15 useother=t tickets

I could also use the following => stats count by tickets
but I need to be able to count the num Sold by searching a specific string.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-16-2016 09:01 AM

Try something like this

..| eval tickets=Tickets | replace *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden* with Soundgarden, *Britney*Spears* with "Britney Spears" in tickets 
| stats sum(Sold) as Sold by tickets | eventstats sum(Sold) as TotalSold
| eval Percentage=round(Sold*100/TotalSold,2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-16-2016 09:01 AM

Try something like this

..| eval tickets=Tickets | replace *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden* with Soundgarden, *Britney*Spears* with "Britney Spears" in tickets 
| stats sum(Sold) as Sold by tickets | eventstats sum(Sold) as TotalSold
| eval Percentage=round(Sold*100/TotalSold,2)
0 Karma
Reply
Solved! Jump to solution

maximusdm
Communicator
‎12-16-2016 12:33 PM

That actually worked. I was comparing the data with an Excel spreadsheet and Splunk had a filter. All good. Thank you so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...