Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sum(field) depending on another field

marina_rovira
Contributor
‎02-22-2016 02:24 AM

Hello all,

I have a field called Type with three values and I want a chart of the percentage of these three values. I am looking for a chart like this, which is easy to achieve:

alt text

But with the % value over the total count of another field for each type. I have a field called Count, that I want to sum for each type, so by now, my search is this:

| timechart sum(Count) by Type

The thing is that I cannot find a way to sum this field depending of the Type field. If I had the sum, I could calculate the percentage myself.

Someone knows if I can do it?

Thanks in advance!

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-22-2016 08:34 AM

Try something like this

your base search | bucket span=1mon _time | stats sum(count) as count by _time Type | eventstats sum(count) as Total by _time | eval Percent=round(count*100/Total) | timechart span=1mon max(Percent) by Type

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-22-2016 08:34 AM

Try something like this

your base search | bucket span=1mon _time | stats sum(count) as count by _time Type | eventstats sum(count) as Total by _time | eval Percent=round(count*100/Total) | timechart span=1mon max(Percent) by Type
Reply
Solved! Jump to solution

fdi01
Motivator
‎02-22-2016 03:22 AM

to chart of the percentage of these three values , try like :

...| top  Type

or
try thi :

...| stats count by Type | eventstats sum(count) as total | eval percent = round(count/total) . " %" | fields - total
Reply
Solved! Jump to solution

marina_rovira
Contributor
‎02-22-2016 04:32 AM

It works! for one month, do you if there is a possibility to do it over month? as a timechart or something?

Thank you!

0 Karma
Reply
Solved! Jump to solution

fdi01
Motivator
‎02-22-2016 05:00 AM

try like:

...|bucket _time span=1months| top  Type by _time
Reply
Solved! Jump to solution

marina_rovira
Contributor
‎02-22-2016 09:28 AM

Thank you so much! 🙂

0 Karma
Reply
Solved! Jump to solution

marina_rovira
Contributor
‎02-22-2016 05:36 AM

okay, I'm approaching to it.

I need a mix of these two queries, noy I have:

  • on one hand:
    | stats sum(Count) as suma by Type | eventstats sum(suma) as total | eval percent = round((suma/total)*100,0)."%"

  • on the other hand:
    |bucket _time span=1months| top Type by _time

Now, I need to sum the field Count for Type and moth. With this last thing you wrote me, I almost achieve it, but it counts the events and I need to sum a field for the events.

Thanks, you're helping me a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...