How can I create a percentage field in a table based on the count
Say I am parsing a file which contains response codes as "response_code" and response times as "response_time".
I then want to visualise this in a table with:
| count avg(response_time) as Average, count as ResponseCount by response_code
I would also like to know what percentage of all transactions in the selected timeframe each count of "response_code" accounts for and add that as a field showing that percentage.
I don't know what the response_code values could be for the query as they are dynamic.
eg:
Imagine I have data like:
response_code response_time
1 100
2 150
1 300
1 200
I would want the output to look like:
response_code Average ResponseCount PercentageOfTransactions
1 200 3 75
2 150 1 25
In splunk I would do this with eventstats to calculate the total and the percentage then report the percentage as values(PercentageOfTransactions)
-
Perfect Rick Jury. Thanks! Worked exactly as I wanted.
-
hi Greg,
you can do eventstats in sumo just a different way.
| avg(response_time) as Average, count as ResponseCount by response_code
| total ResponseCount as totalresponses
| (ResponseCount / totalresponses) * 100 as PercentageOfTransactions
| sort PercentageOfTransactions
| fields -totalresponsesyou could also use the format operator if you want to display it as a percentage with %
Please sign in to leave a comment.
Comments
2 comments