I have a search which I am using stats to generate a data grid. Something to the affect of
Choice1 10
Choice2 50
Choice3 100
Choice4 40
I would now like to add a third column that is the percentage of the overall count. So something like
Choice1 10 .05
Choice2 50 .25
Choice3 100 .50
Choice4 40 .20
I suspect I need to use a subsearch for this because each row now depends on the total count but I am not exactly sure how to accomplish this. Any help would be greatly appreciated.
For the earlier question, you could probably do something like this:
... | eventstats count as "totalCount" | eventstats count as "choiceCount" by choice | eval percent=(choiceCount/totalCount)*100 | stats values(choiceCount), values(percent) by choice
Usually, you can avoid eventstats altogether and just use the "top" command (http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/Top ) like so:
... | top choice limit=0
In addition to this, in order to avoid using multiple stats stanzas, I use this type of structure with a stats then an eval:
| search (message="Polling" OR message="No data" OR message="503" OR message="Pushing")
| timechart count(eval(message="Polling")) as Total_Polls count(eval(message="No data")) as Dataless_Polls count(eval(message="503")) as Error_Polls count(eval(message="Pushing")) as Successful_Polls
| eval Percent_Successful=(((Successful_Polls)/Total_Polls)*100)
| fields _time Percent_Successful
This allows you to just compute one stats function and then evaluate any combination of percentages across your dataset. Of course this is a timechart, so you can just replace this with stats to get the desired functionality.
Maybe I am being dense, but the eventstats documentation is baffling and I cannot get it to calculate percentages as asked in the question.
Any chance of a worked example?
The "top" example worked for me instead. eventstats didn't make sense
Thanks, this is exactly what I needed.