topic Re: How to calculate ratio between 2 fields? in Splunk Dev

How to calculate ratio between 2 fields?

sarit_s — Thu, 10 Feb 2022 22:52:47 GMT

Hello,

I want to calculate a ratio between two fields (i know it suppose to be an easy one but looks like im missing something)

i want to count all the Totals and then check where Total > 200 as latency and count them all
after i have both of them i want to check if the ration between them is > 0.3

sourcetype="*user-program*" | rename AdditionalData.Total as Total | eval Latency=if(Total>200,Total,null()) |eval Ratio = Total/Latency

this one returning no results

Re: calculate ratio between 2 fields

PickleRick — Thu, 10 Feb 2022 22:42:09 GMT

I'm not sure what you're trying to achieve. Maybe it's the wording.

Counting usually means that you want to count how many separate events (possibly fulfilling some condition) yoy have.

With your search you're calculating values in every event. It doesn't have anything to do with any counting.

For every event you're calculating a field called Ratio, which can have a value of 1 (if Total was bigger than 200 - in this case Latency is also set to equal to Total an the ratio is obviously 1) or null (if Total is less or equal to 200, Latency is set to null and you can't calculate ratio from null).

Re: calculate ratio between 2 fields

ITWhisperer — Thu, 10 Feb 2022 22:46:51 GMT

What are you counting? There doesn't appear to be appear stats command.

Also, if Total is greater than 200, Latency will be the same as Total so Latency/Total will be 1, otherwise Latency will be null so Total/Latency will be null. Given that you are getting no results, this would suggest Total is never greater than 200.

Re: calculate ratio between 2 fields

sarit_s — Thu, 10 Feb 2022 22:53:16 GMT

there are lots of total>200
what im trying to calculate is the count of total
the count of where total>200

and then calculate the ratio between them

after i have the result of the ratio i want to check if the ration is > 0.3 and raise an alert

Re: How to calculate ratio between 2 fields?

yuanliu — Fri, 11 Feb 2022 05:53:40 GMT

To rephrase, you want to count the number of events where field Total > 200, and compare with total number of events in which field Total exists. This would be an easy one except our brains tricks us when the field name is Total. I have been in this type of confusion a lot.

To eliminate this mental trap, instead of "rename AdditionalData.Total as Total", let's "rename AdditionalData.Total as someMetric".

sourcetype="*user-program*" Additional.Data=* | rename AdditionalData.Total as someMetric | eval highLatency=if(someMetric>200,1,0) | stats count sum(highLatency) as highLatency | eval Ratio = highLatency/count

Re: calculate ratio between 2 fields

PickleRick — Fri, 11 Feb 2022 06:07:09 GMT

So you want to

| stats count(Total) as total count(eval(Total>200)) as matched
| eval ratio=matched/total