I have a basic Splunk query as shown below. I'm able to create a timechart for the count of similar_events and non-similar_events fields. But, now I'm trying to create a timechart for similar_events and non_similar_events field's percentage instead of count.
How to create a percentage timechart for the similar_events and non_similar_events fields? How can I write the Splunk query?
My basic query:
index='xyz' sourcetype='abc' status='completed'
| timechart span=1hr count(eval(_raw like "similar")) as similar_events
count(eval(_raw like "non_similar")) as non_similar_events
| eval total_events = 'similar_events' + 'non_similar_events'
| eval similar_events_perc = ((similar_events/total_events)*100)."%"
We have to add the count variable to get the Total then it is easy to calculate .
Find the query here -
index=windows source=service State="Running" | timechart span=1m count(eval(match(DisplayName,"Splunk"))) as similar_events count(eval(match(DisplayName,"SQL"))) as non_similar_events count as Total | eval similiar_events=((similar_events/Total)*100)."%"
Rest you can do whatever operations you like .
Hope this helps.