Percentages display

shreyad · ‎07-23-2018

If I want to display percentages as well as a count for a table and I want the percentages out of the total count of the table, how do I display that?

|multisearch [search index = blah sourcetype="blah" host=blah | tstats count WHERE index = blah sourcetype="blah" host=blah earliest=@mon
| eval earliest=if(cou... OR ("NAME"="blah") | eval Coast ="EastCoast"]

somesoni2 · ‎07-23-2018

Try like this

|multisearch [search index = blah sourcetype="blah" host=blah [| tstats count WHERE index = blah sourcetype="blah" host=blah  earliest=@mon 
| eval earliest=if(count=0,"-1mon@mon","@mon") | table earliest ] 
 ("NAME"="blah_*") OR ("NAME"="blah") | eval Coast ="EastCoast"] 
[search index = blah sourcetype="blah " host=blah
[| tstats count WHERE index = blah sourcetype="blah " host=blah earliest=@mon 
| eval earliest=if(count=0,"-1mon@mon","@mon") 
| table earliest ] 
("NAME"="blah _*") OR ("NAME"="blah *") | eval Coast ="WestCoast"]| dedup HOST.IP |stats count(blah) as NumberOfIPs by Coast
| eventstats sum(NumberOfIPs) as Total
| eval Percentage=round(NumberOfIPs*100/Total,2) 
| fields - Total

shreyad · ‎07-31-2018

Thank you!

CarsonZa · ‎07-23-2018

you could use |top otherwise you'll have to do some math.

|stats count(_raw) as total
|stats count(x) by x as foo
|eval perc = ((foo / total)*100) + "%"

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Top

Percentages display

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases