topic Re: Divide a Result By Two in Getting Data In

Divide a Result By Two

henryt1 — Wed, 20 Jun 2012 16:26:05 GMT

The following search I'm running is giving me duplicate results for each event:

(host="zakta-test.inno-360.com") AND (demo-landscaping-test.inno-360.com) AND ("POST /search2sectionhandler.php" OR "POST /search2keephandler.php") | stats count by referer_domain

For instance if there were five events I'm interested in within the past hour it will return 10. However if I try to use "dedup" it just gives me a count of 1 since they're all similar events.

How would I divide the results by 2 within Splunk? To make it a little obvious just doing 10/2=5.

Re: Divide a Result By Two

sdaniels — Wed, 20 Jun 2012 16:52:26 GMT

Instead of deduping based on host (not sure if that's what you are doing) maybe you could create another field for the URI's and dedup by those? Or maybe it's referer_domain that would work. Anyways hard to tell without seeing your raw events.

If you want to manipulate your count just use the eval command but hopefully you can find a way to use dedup.

... | eval newCount = count/2

Re: Divide a Result By Two

henryt1 — Wed, 20 Jun 2012 17:38:52 GMT

Thank you! This worked but it created a new column. Would there be a way to hide the original column (since I'm creating a chart from this and only need the new column)? Or would it be possible to divide this without creating a new column?

Re: Divide a Result By Two

sdaniels — Wed, 20 Jun 2012 17:52:45 GMT

You could do
... | fields - count or pipe it to table and specify the columns you want ... | table myCount referer_domain. I think both of those will get rid of count for you.

Re: Divide a Result By Two

henryt1 — Mon, 25 Jun 2012 18:39:46 GMT

This is great, thank you!

Re: Divide a Result By Two

cheganbm — Thu, 27 Feb 2014 15:55:01 GMT

using the fieldformat operator should do what you need.

...|fieldformat count=count/2