Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to display the percentage of tickets sold based on a conditional search string?

maximusdm
Communicator
‎12-16-2016 07:03 AM

Splunk newbie here so please bear with me.
Given the table/records below, how can I build a bar chart with the percent of tickets sold based on a search string?
For instance, if string = "Metallica" then sum up 3 + 1 = 4 and calculate the percentage of 10 sold tickets total.
For instance, if string = "Metallica Cover" then 1 is the total and calculate the percentage of 10 total.

Tickets           Sold

Metallica           3
Metallica Cover      1
U2                 1
Soundgarden       1
Britney Spears     0
U2                 2
Metallica           2

I managed to count the number of entries of each Ticket but what I need is to calculate the number of tickets sold, so the query below is wrong:

 | eval tickets=Tickets | replace
 *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden*
 with Soundgarden, *Britney*Spears*
 with "Britney Spears" in tickets | top
 limit=15 useother=t tickets

I could also use the following => stats count by tickets
but I need to be able to count the num Sold by searching a specific string.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-16-2016 09:01 AM

Try something like this

..| eval tickets=Tickets | replace *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden* with Soundgarden, *Britney*Spears* with "Britney Spears" in tickets 
| stats sum(Sold) as Sold by tickets | eventstats sum(Sold) as TotalSold
| eval Percentage=round(Sold*100/TotalSold,2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-16-2016 09:01 AM

Try something like this

..| eval tickets=Tickets | replace *Metallica* with "Metallica", *Metallica*Cover* with "Metallica Cover", *U2* with "U2", *Soundgarden* with Soundgarden, *Britney*Spears* with "Britney Spears" in tickets 
| stats sum(Sold) as Sold by tickets | eventstats sum(Sold) as TotalSold
| eval Percentage=round(Sold*100/TotalSold,2)
0 Karma
Reply
Solved! Jump to solution

maximusdm
Communicator
‎12-16-2016 12:33 PM

That actually worked. I was comparing the data with an Excel spreadsheet and Splunk had a filter. All good. Thank you so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...