Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subtotal percentage with stats

dauren_akilbeko
Communicator
‎06-16-2021 03:06 AM

I'm working with Windows events, and want to make following report/search:

process1                                                                                                            Total XX XX%
                                                        command_line1 XX%
                                                        command_line2 XX%

process4                                                                                                            Total XX XX%
                                                        command_line1 XX%
                                                        command_line2 XX%

 

What I come up with:

 

 

`index_windows` EventCode=4688 
| fields Process_Command_Line, New_Process_Name 
| stats count(Process_Command_Line) as totalCount by New_Process_Name, Process_Command_Line
| eventstats sum(totalCount) as _total
| eventstats sum(totalCount) as _totalPerProcess by New_Process_Name
| eval percentageTotal=round((totalCount/_total)*100,2)
| eval precentagePerProcess=round((totalCount/_totalPerProcess)*100,2)
| sort - totalCount

 

 

 

The only thing is that I can't figure out how to merge fields by New_Process_Name

dauren_akilbeko_0-1623837792088.png

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2021 05:04 AM 
`index_windows` EventCode=4688 
| fields Process_Command_Line, New_Process_Name 
| stats count(Process_Command_Line) as totalCount by New_Process_Name, Process_Command_Line
| eventstats sum(totalCount) as _total
| eventstats sum(totalCount) as _totalPerProcess by New_Process_Name
| eval percentageTotal=round((totalCount/_total)*100,2)
| eval precentagePerProcess=round((totalCount/_totalPerProcess)*100,2)
| stats list(Process_Command_Line) as Process_Command_line list(percentageTotal) as percentageTotal values(percentagePerProcess) as percentagePerProcess by New_Process_Name
| sort - totalCount

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2021 05:04 AM 
`index_windows` EventCode=4688 
| fields Process_Command_Line, New_Process_Name 
| stats count(Process_Command_Line) as totalCount by New_Process_Name, Process_Command_Line
| eventstats sum(totalCount) as _total
| eventstats sum(totalCount) as _totalPerProcess by New_Process_Name
| eval percentageTotal=round((totalCount/_total)*100,2)
| eval precentagePerProcess=round((totalCount/_totalPerProcess)*100,2)
| stats list(Process_Command_Line) as Process_Command_line list(percentageTotal) as percentageTotal values(percentagePerProcess) as percentagePerProcess by New_Process_Name
| sort - totalCount
Reply
Solved! Jump to solution

dauren_akilbeko
Communicator
‎06-17-2021 02:22 AM

Thank you, so simple! 🙄 Changed list to values though, as it hit the limit.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2021 04:00 AM

The reason for list rather than values is to keep the count and process in line because values sorts them. If you can't use list, you should consider creating a concatenated field before using values.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...