Percent of Total

Question

I'm trying to figure out how to calculate a percent of total such that:

search string | stats count percent by email

Would spit out:

EMAIL               COUNT PERCENT
email@blah.com          5     10%
otheremail@blah.com    10     20%

Thanks! -S.

Answer 1

2

Try the top command:

search string | top email

If you're getting the data from a "stats" or "sistats" in a summary index, it's a bit harder, but certainly possible.

For a summary populated by "stats":

index=summary source=<search_name> | stats sum(count) as count by email | eventstats sum(count) as total | eval percent = round(count/total) . " %" | fields - total

For a summary populated by "sistats":

index=summary source=<search_name> | stats count by email | eventstats sum(count) as total | eval percent = round(count/total) . " %" | fields - total

link

answered 27 Aug '10, 19:36

Stephen Sorkin ♦
8.9k●5●10
accept rate: 52%

edited 27 Aug '10, 19:51

So, I'm searching against a summary index. In an effort to keep the summary index multi-purpose, I created it as a sistats (run hourly), as in:

sourcetype="blah" earliest="-2h@h" latest="-1h@h" | sistats count by email

So if I used "top" for a query on the summary index, and a certain email showed up 100 times each hour, "top" would only count the number of times the email showed up in the summary index (a maximum of one per hour).

So, is it possible to imitate "top" in this circumstance? Am I just making this too hard on myself?

(27 Aug '10, 19:44) sondradotcom

Correct, do not use top in this circumstance. Use stats and eventstats as Stephen as shown above.

(28 Aug '10, 18:20) gkanapathy ♦

Percent of Total

Follow this question

Splunk Resources

Related questions