I have the following query
<base query> | rex field=msg "HTTP/1.1\\\" (?<http_status>\d{3})"
| where http_status=200 OR http_status=401
| eval event_date=strftime(_time, "%x")
| chart count over event_date by http_status
that gives me the following table
event_date 200 401
========== === ===
11/28/21 61 24
11/29/21 295 96
However, I need an additional column that shows the percentage of status 401 compared to the total, i.e., "401"/("200"+"401"), as the following:
event_date 200 401 401 percentage
========== === === ==============
11/28/21 61 24 28.24%
11/29/21 295 96 24.55%
Could anyone tell me how to do it? Thank you very much.
Use an eval to compute the percentage.
| eval "401 percentage" = round('401'*100/('200'+'401'),2)."%"
The round function limits the calculation to 2 decimal places and ."%" adds a percent symbol to the end. BTW, be sure to use single quotes where I have so Splunk knows it's a field name rather than a string literal.