https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384363#M6399 <P>sorry for the type, in the main query the command should be eventstats not streamstats, which is also not working</P> Mon, 07 May 2018 18:46:54 GMT macadminrohit 2018-05-07T18:46:54Z https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384362#M6398 <P>My query is like this, here eventstats is not doing what it is supposed to do.</P> <P>index=servers sourcetype=xs_json | rename hdr.level as LEVEL<BR /><BR /> | stats count(eval(searchmatch("not available"))) as ERROR_COUNT | streamstats count(eval(LEVEL="Information")) as INFO | eval RATIO=(INFO/ERROR_COUNT)</P> <P>I am getting the values for ERROR_COUNT by not for the field INFO. But when i run stats on count(eval(LEVEL="Information")) as INFO i can see the values but not with eventstats.</P> <P>Basically i want a ratio as seen in the above query. Ratio of TOTAL number of messages divided by the number of events in which "not available" was present.</P> Tue, 29 Sep 2020 19:26:03 GMT https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384362#M6398 macadminrohit 2020-09-29T19:26:03Z https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384363#M6399 <P>sorry for the type, in the main query the command should be eventstats not streamstats, which is also not working</P> Mon, 07 May 2018 18:46:54 GMT https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384363#M6399 macadminrohit 2018-05-07T18:46:54Z https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384364#M6400 <P>I even tried appendcols but it doesnt work. Always getting the value for INFO as 0. </P> Mon, 07 May 2018 18:57:37 GMT https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384364#M6400 macadminrohit 2018-05-07T18:57:37Z https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384365#M6401 <P>I need a timechart of the ratio.</P> Mon, 07 May 2018 19:04:47 GMT https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384365#M6401 macadminrohit 2018-05-07T19:04:47Z https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384366#M6402 <P>If the Total Event count is all events, including error events (to calculate ratio of all vs errors), try like this (showing hourly timechart, adjust span per your need)</P> <PRE><CODE>index=servers sourcetype=xs_json | rename hdr.level as LEVEL | eval isError=if(searchmatch("not available"),1,0) | timechart span=1h sum(isError) as ERROR_COUNT count as TOTAL_COUNT | eval RATIO=round(TOTAL_COUNT/ERROR_COUNT,2) | table _time RATIO </CODE></PRE> <P>If the Total Event count is all INFO events, NOT including error events (to calculate ratio of info vs errors), try like this (showing hourly timechart, adjust span per your need)</P> <PRE><CODE>index=servers sourcetype=xs_json | rename hdr.level as LEVEL | eval isError=if(searchmatch("not available"),1,0) | eval isInfo=if(LEVEL="Information",1,0) | timechart span=1h sum(isError) as ERROR_COUNT sum(isInfo) as INFO_COUNT | eval RATIO=round(INFO_COUNT/ERROR_COUNT,2) | table _time RATIO </CODE></PRE> Mon, 07 May 2018 20:12:44 GMT https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384366#M6402 somesoni2 2018-05-07T20:12:44Z https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384367#M6403 <P>the query is still running as i am getting 30 days data, any idea why eventstats didnt work?</P> Mon, 07 May 2018 21:18:46 GMT https://community.splunk.com/t5/Splunk-Dev/Ratio-of-total-number-Informational-events-and-events-with/m-p/384367#M6403 macadminrohit 2018-05-07T21:18:46Z