topic Re: How do you return a conditional count and grand-total in a query? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441361#M125385 <P>Thanks Vijeta for coming back to me. I ran this query and I am getting the correct grand total but the revisit number is much larger than expected. </P> <P>I get the 297 for the grand total but 247 for revisits which is too high. I am expecting around 117.</P> <P>Any idea why?</P> Wed, 19 Dec 2018 19:12:06 GMT skribble5 2018-12-19T19:12:06Z How do you return a conditional count and grand-total in a query? https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441359#M125383 <P>Hi all,</P> <P>Novice here. I have two separate queries that are doing a simple calculation each, but I would like to combine them. What would be the best way to do this?</P> <P>The first query returns the distinct number of users within a data source:</P> <P>Here is the result which says that the campaign "DM664023" had 297 recipients. The recipients are in the field "user_only"</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6270i37C5C0E8BFBD4FED/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>The query used to get to that result is: </P> <PRE><CODE>sourcetype="xxx" source="yyy" campaign_delivery="DM664023" | stats dc(user_only) as distinctRecipients by campaign_delivery </CODE></PRE> <P>Then, the second query returns the number of users who have more than one record in the data-source. If a user only has 1 record in the data source, then that person only access the campaign once. If the user has &gt; 1 record in the data source, then that person revisited the campaign. </P> <P>The second query returns the number of revisits. Here is the result which says that the campaign DM664023 had 117 revisits.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6271iF1938773645C38CA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>The query used to get to second result is:</P> <PRE><CODE>sourcetype="xxx" source="yyy" campaign_delivery="DM664023" | stats count by user_only | where count &gt; 1 | chart count as "Revisits" </CODE></PRE> <P>Ideally, I want one search which returns the following:</P> <P>"campaign" | "# total ppl who accessed the campaign" | "number of people who accessed campaign more than once | % of people who revisited campaign<BR /> DM664023 | 297 | 117 | 39.39%<BR /> campaign2 | x | y | y/x<BR /> campaign3 | a | b | b/a</P> <P>Any help will be greatly appreciated!</P> <P>Thanks!</P> Wed, 19 Dec 2018 16:30:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441359#M125383 skribble5 2018-12-19T16:30:57Z Re: How do you return a conditional count and grand-total in a query? https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441360#M125384 <P>Try this if it works-</P> <PRE><CODE>sourcetype="xxx" source="yyy" campaign_delivery="DM664023" | eventstats count as revisit by user_only | stats dc(user_only) as distinctRecipients , count(eval(revisit&gt;1)) as Revisit by campaign_delivery| eval perc= Revisit/distinctRecipients*100 | table campaign_delivery Revisit distinctRecipients perc </CODE></PRE> Wed, 19 Dec 2018 17:05:14 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441360#M125384 Vijeta 2018-12-19T17:05:14Z Re: How do you return a conditional count and grand-total in a query? https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441361#M125385 <P>Thanks Vijeta for coming back to me. I ran this query and I am getting the correct grand total but the revisit number is much larger than expected. </P> <P>I get the 297 for the grand total but 247 for revisits which is too high. I am expecting around 117.</P> <P>Any idea why?</P> Wed, 19 Dec 2018 19:12:06 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441361#M125385 skribble5 2018-12-19T19:12:06Z Re: How do you return a conditional count and grand-total in a query? https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441362#M125386 <P>Try <CODE>dedup user_only</CODE> before stats command </P> Wed, 19 Dec 2018 19:25:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441362#M125386 Vijeta 2018-12-19T19:25:18Z Re: How do you return a conditional count and grand-total in a query? https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441363#M125387 <P>That worked beautifully. Thank you so much!</P> Wed, 19 Dec 2018 19:38:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-return-a-conditional-count-and-grand-total-in-a-query/m-p/441363#M125387 skribble5 2018-12-19T19:38:48Z