topic Re: How do you calculate the percentage of log entries that have a specific value in a field out of the total number of entries that have that field defined, bucketed by time? in Splunk Search
https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-percentage-of-log-entries-that-have-a/m-p/61208#M15093
<P>This should work. </P>
<PRE><CODE><your search> | eval myfield=case(n > 0, "A", n=0, "B") | timechart count by myfield | eval total=A+B | eval Aperc=100*A/total | eval Bperc=100*B/total | fields _time Aperc Bperc
</CODE></PRE>
<P>Also, for when you have more than two values going on, <CODE>| addtotals</CODE> will be more useful to you than <CODE>| eval total=A+B</CODE>. (Note that addtotals creates a field called 'Total' and field names are case-sensitive.)</P>Fri, 19 Aug 2011 20:39:20 GMTsideview2011-08-19T20:39:20ZHow do you calculate the percentage of log entries that have a specific value in a field out of the total number of entries that have that field defined, bucketed by time?
https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-percentage-of-log-entries-that-have-a/m-p/61207#M15092
<P>I have a log where each event can be given a boolean field with:</P>
<P>| eval myfield=case(n > 0, "A", n=0, "B")</P>
<P>So some events have myfield = "A", others have myfield = "B", and others have myfield unset.</P>
<P>I'd like a graph with the X axis being "time" and the Y axis being the percentage of events that have n = "A" -- more specifically, the number of events that have n = "A" divided by number of events that have either (n = "A" or n = "B").</P>
<P>How do I do that?</P>Fri, 19 Aug 2011 20:30:32 GMThttps://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-percentage-of-log-entries-that-have-a/m-p/61207#M15092wtanaka2011-08-19T20:30:32ZRe: How do you calculate the percentage of log entries that have a specific value in a field out of the total number of entries that have that field defined, bucketed by time?
https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-percentage-of-log-entries-that-have-a/m-p/61208#M15093
<P>This should work. </P>
<PRE><CODE><your search> | eval myfield=case(n > 0, "A", n=0, "B") | timechart count by myfield | eval total=A+B | eval Aperc=100*A/total | eval Bperc=100*B/total | fields _time Aperc Bperc
</CODE></PRE>
<P>Also, for when you have more than two values going on, <CODE>| addtotals</CODE> will be more useful to you than <CODE>| eval total=A+B</CODE>. (Note that addtotals creates a field called 'Total' and field names are case-sensitive.)</P>Fri, 19 Aug 2011 20:39:20 GMThttps://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-percentage-of-log-entries-that-have-a/m-p/61208#M15093sideview2011-08-19T20:39:20ZRe: How do you calculate the percentage of log entries that have a specific value in a field out of the total number of entries that have that field defined, bucketed by time?
https://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-percentage-of-log-entries-that-have-a/m-p/61209#M15094
<P>You can use eval's inside of the functions of the charting modules to check if something is true.</P>
<PRE><CODE>|timechart span=15m count as "Total_Events" count(eval(myfield="a")) as "Total_A" count(eval(myfield="b")) as "Total_B" | eval percent_a=Total_A/Total_Events | eval percent_b=Total_B/Total_Events | fields percent_a,percent_b
</CODE></PRE>
<P>If you want to only see a ratio of A to B, simply replace the division of "total_events" with the respective value. </P>Fri, 19 Aug 2011 20:46:36 GMThttps://community.splunk.com/t5/Splunk-Search/How-do-you-calculate-the-percentage-of-log-entries-that-have-a/m-p/61209#M15094bbingham2011-08-19T20:46:36Z