Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

get all fields

Shakira1
Explorer
‎10-17-2023 04:59 AM

HI

I need to get the count of all fields in some index and then calculate how many times in percentage it occurred out of all events.

 

hope its clear.

thank you!

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2023 06:13 AM

Use the fieldsummary command to get the field info then calculate the percentage from that info.  It's not clear which percentage is sought so modify the eventstats and eval commands below as necessary.

index=_internal
| fieldsummary
``` Get the total number of fields ```
| eventstats sum(count) as Total,sum(distinct_count) as TotalDistinct
``` Compute the percentages ```
| eval Pct=round(count*100/Total,2), DistPct=round(distinct_count*100/TotalDistinct,2)

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Shakira1
Explorer
‎10-17-2023 06:52 AM

I would like to get the percentage of some count field from the total count

for example: 

after using fieldsummary I got this: [{"value":"/System/Library/LaunchAgents/com.apple.mdworker.shared.plist","count":61372} under value key

and the total count events is1,039,803, so in a new field I want to get the calculate for how much in percentage the count (61372) is from the total (1,039,803), this result I want to get to all my fields. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2023 07:25 AM

Is this more like what you envision?

index=_internal
| fieldsummary
| eventstats sum(count) as Total
``` Get rid of fields we don't need ```
| fields - max mean min stdev is_exact
``` Convert the values array to a multi-value field ```
| eval mv_values=json_array_to_mv(values)
``` Put each value into a separate event ```
| mvexpand mv_values
``` Extract value and its count ```
| rex field=mv_values "value\\\":\\\"(?<value>[^\"]+)\\\",\\\"count\\\":(?<valueCount>\d+)"
| eval Pct=round(valueCount*100/Total,2)
| table field value valueCount Pct
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Shakira1
Explorer
‎10-18-2023 12:31 AM

its looking very good! thank you.

I just dont understand the calculate results. 

for example: in valueCount I have 294723 from the total which is 1360007 should be ≈ 21.67% but in Pct field value I have 0.33, Do you know why?

all my results in Pct are not correct. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-18-2023 08:05 AM

I don't get it, either.  When I plug your numbers into the query I get the expected 21.67.  Can you share a screenshot just so we're sure we're looking at the right numbers?

---
If this reply helps you, Karma would be appreciated.
Reply

Shakira1
Explorer
‎10-19-2023 12:29 AM

sure.

attached the valueCount and Pct.

also the number of events:  1,380,350 events

Tags (1)
Preview file
26 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...