- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to reuse the count from a previous search to c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches?
Hi,
I want to create a dashboard using these 2 searches:
1) the first one index='text' | count, will give a result. For example result=250
2) the second one will be based on the result of the first one
index='text' type='cpu'| eventstats sum(nombre) as total | eval pourcentage=round((nombre/result)*100,2) | table EventType, nombre, pourcentage
Do you have an idea how to do this?
Thank you all, have a nice day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi otman01
Just follow this link ,it will help you
http://answers.splunk.com/answers/169069/extract-one-row-of-data-from-a-table.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you I could find another solution, for my case I use WHERE expression to extrat just one line
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi otman01
Try this xml code
<dashboard>
<label>fcff</label>
<row>
<panel>
<chart>
<search>
<query>source="WinEventLog:*" | chart count AS result</query>
<earliest>0</earliest>
<latest>now</latest>
</search>
</chart>
</panel>
</row>
<row>
<panel>
<chart>
<search>
<query> source="WinEventLog:*" EventType=0 | chart count by EventType </query>
<earliest>0</earliest>
<latest>now</latest>
</search>
</chart>
</panel>
</row>
<row>
<panel>
<chart>
<search>
<query> source="WinEventLog:*" | chart count as nombre by EventType | eventstats sum(nombre) as total | eval percentage=round((nombre/total)*100,2) | table EventType, nombre, percentage </query>
<earliest>0</earliest>
<latest>now</latest>
</search>
</chart>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you satisfied by my previous answer ? If yes let vote it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer.
so this is an extrat of the result that the search return:
EventType--------nombre ------------------- percentage
0------------------- 8246 ----------------------- 14.43
1 ------------------- 18 --------------------------- 0.03
2 ------------------- 7512 ----------------------- 13.15
3 ------------------- 3982 ------------------------ 6.97
4 ------------------- 37286 ---------------------- 65.25
5 ------------------- 101 -------------------------- 0.18
What I want to do is extract for example the 2nd row and the 4th row .
Is this is POSSIBLE ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @otman01
Please be sure than when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You keep typing your responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation. It gets difficult when people don't know who you're responding to. I already converted your answer to a comment, so just something to keep in mind from here on out. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes EventType is a field for me there are a values that it accept (0.1.2.3.4.5.6)
thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Otman01
try this:
index='text'|count AS result [search index='text' type='cpu'| eventstats sum(nombre) as total ]| eval pourcentage=round((nombre/result)*100,2) | table EventType, nombre, pourcentage
Thanks to vote and Accept if your are satisfied....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have some problems in the 2 searchs. can you help me ? thank you
"Error in 'chart' command: The argument '( ( EventType=0 AND count=7957 ) )' is invalid."
this is exactely the first search:
source="WinEventLog:*" | chart count AS result
this is the second:
search source="WinEventLog:*" EventType=0 | chart count by EventType
in the general search I do like bellow (it works to give me the percentage)
source="WinEventLog:*" | chart count as nombre by EventType | eventstats sum(nombre) as total | eval percentage=round((nombre/total)*100,2) | table EventType, nombre, percentage
but I want to keep each row in a separate panel .
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
