-2

How can we get percentage of top 1000 values along with some more field .. i have tried below but its not working ..

|eval percent=round(count/total*100,1000) | eventstats count(src) as total | iplocation src| stats count by src , dest , msg , Server_Group,Country,percent | sort-count | head 1000

supriya
  • 21
  • 1
  • 6
  • What does "its not working" mean? Please provide expected results and actual results. Also, "top 1000" of what? Splunk uses integer math so you'll get more accurate results with `eval count*100/total`. The second argument of the `round` function is a number of decimal places so `2` probably makes more sense than `1000`. The `eval` command works on a single event, which means the sample query is calculating 1000 percentages. Not that there's anything wrong with that, but it's probably not the intent. – RichG Jan 29 '21 at 18:40
  • we have below query index=abc| iplocation src_IP| stats count by src ,Country | sort-count | head 1000 with output below Source of attack Country count 50.17.98.189 Ireland 9602 159.89.48.18 Canada 2200 221.151.26.232 Republic of Korea 1437 84.39.116.10 United Kingdom 1372 i want avarage of count where total no of records are 1000 (i have given example of only 4 above) – supriya Feb 01 '21 at 08:33

1 Answers1

0

This run-anywhere query should get you started.

| makeresults 
| eval _raw="Source of attack Country           count
50.17.98.189   Ireland             9602 
159.89.48.18   Canada              2200 
221.151.26.232 Republic of Korea 1437 
84.39.116.10   United Kingdom      1372
" 
| multikv 
```Above just sets up test data```
| sort - count 
```Add average and total fields to the results```
| appendpipe 
    [ stats avg(count) as Avg, sum(count) as Total ] 
```Put the Total field on top so the filldown command works```
|  reverse
```Put the Total field in every event```
| filldown Total 
```Calculate the percentage for each source
| eval pct=round(count*100/Total,2)
```Restore the original order```
| reverse
```Remove unneeded field```
| fields - Total

Here's your query combined with mine

index=abc
| iplocation src_IP
| stats count by src ,Country 
| sort - count 
| head 1000
| appendpipe 
    [ stats avg(count) as Avg, sum(count) as Total ] 
| reverse
| filldown Total 
| eval pct=round(count*100/Total,2)
| reverse
| fields - Total
RichG
  • 9,063
  • 2
  • 18
  • 29