https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54718#M179758 <P>I don't know what your results look like, so not sure. That said, here's another search which should give you a ratio:</P> <P>index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(eval(round(if(Category="IBC",src_bytes,0)/1024/1024,2))) AS IBC_MB, sum(eval(round(if(Category="Non-IBC",src_bytes,0)/1024/1024,2))) AS Non-IBC_MB | eval Ratio=IBC_MB/Non-IBC_MB</P> Mon, 28 Sep 2020 14:42:59 GMT srioux 2020-09-28T14:42:59Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54710#M179750 <P>how can I do a ratio search not based on count, but based on src_bytes (inbound traffic) to get a ratio for two fields. For example, I want to do a ratio of two categories Shopping sites to Search Engine sites, but not by count but by bandwidth (src_bytes).</P> Mon, 28 Sep 2020 14:42:37 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54710#M179750 jaywilwk 2020-09-28T14:42:37Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54711#M179751 <P>You didn't give us a lot to go on.</P> <P>Assuming that the two record types would have differing sourcetype (which they might not), the following should work:</P> <P>...your base search search here... | stats sum(src_bytes) AS Size by sourcetype</P> <P>That would create a sum of the values in src_bytes, using sourcetype as a grouping, over the timeframe of your search. If you have another field differentiating the two categories, you should be able to use that instead of sourcetype.</P> Thu, 05 Sep 2013 12:54:57 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54711#M179751 srioux 2013-09-05T12:54:57Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54712#M179752 <P>Here's what i'm trying to do. I'm trying to get a ratio of events within a category, but I'm only concern with two events. One event is in the category IBC. The other events I want to consolidate those into one event in the category, to get a ratio of IBC to Non IBC traffic by src_bytes.<BR /> index=proxysg sourcetype=proxysg | stats sum(src_bytes) as MB by category | eval MB=round(MB/1024/1024,2) | category!=IBC Allow* as Non-Ibc, category=IBC Allow as IbC Allow</P> Mon, 28 Sep 2020 14:42:54 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54712#M179752 jaywilwk 2020-09-28T14:42:54Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54713#M179753 <P>Is 'category' a field in your raw data, do you have it extracted, or is that piece of the search still pending? Can you provide a few sample records (anonymize the data set as required).</P> <P>There are likely a few ways to get what you're looking for.</P> Thu, 05 Sep 2013 14:28:47 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54713#M179753 srioux 2013-09-05T14:28:47Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54714#M179754 <P>Category is an extracted field. This search didn't work for me at all. This is the basic search I started out with manipulating to try to yield some results.</P> Thu, 05 Sep 2013 14:37:10 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54714#M179754 jaywilwk 2013-09-05T14:37:10Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54715#M179755 <P>Try:</P> <P>index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(src_bytes) AS Bytes by Category | eval MB=round(Bytes/1024/1024,2)</P> <P>The ratios may need to be calculated once we've appropriately categorized the data.</P> Thu, 05 Sep 2013 14:44:21 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54715#M179755 srioux 2013-09-05T14:44:21Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54716#M179756 <P>The results shown was the two Category's IBC, Non-IBC along with Bytes field and MB field.</P> Thu, 05 Sep 2013 14:51:00 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54716#M179756 jaywilwk 2013-09-05T14:51:00Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54717#M179757 <P>Is it possible to have it setup like this? I'm mainly concern with the layout of the results. The results of this shows a list of bases with the post, gets and the ratio of get/post:<BR /> index=proxysg sourcetype=proxysg | stats count(eval(method="POST")) as POST, count(eval(method="GET")) AS GET by base | eval RATIO OF GET/POST=(GET/POST</P> Thu, 05 Sep 2013 15:31:13 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54717#M179757 jaywilwk 2013-09-05T15:31:13Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54718#M179758 <P>I don't know what your results look like, so not sure. That said, here's another search which should give you a ratio:</P> <P>index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(eval(round(if(Category="IBC",src_bytes,0)/1024/1024,2))) AS IBC_MB, sum(eval(round(if(Category="Non-IBC",src_bytes,0)/1024/1024,2))) AS Non-IBC_MB | eval Ratio=IBC_MB/Non-IBC_MB</P> Mon, 28 Sep 2020 14:42:59 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54718#M179758 srioux 2020-09-28T14:42:59Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54719#M179759 <P>that GET/POST one I sent you showed results like this:<BR /> base POST GET RATIO OF GET/POST<BR /> 1. base a 9 9 1<BR /> 2. base b 6 2 0.33<BR /> 3. base c 2 3 1.50</P> Thu, 05 Sep 2013 17:12:16 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54719#M179759 jaywilwk 2013-09-05T17:12:16Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54720#M179760 <P>I have a question. On the first ratio search you sent, is it possible to have the search show like this:<BR /> base IbC Non-IbC Ratio of IbC/Non-IbC<BR /> base a 22 23 0.96<BR /> base b 6 7 0.86<BR /> base c 25 26 0.96</P> Mon, 09 Sep 2013 16:12:05 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54720#M179760 jaywilwk 2013-09-09T16:12:05Z https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54721#M179761 <P>Try:<BR /> index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | stats sum(eval(round(if(Category="IBC",src_bytes,0)/1024/1024,2))) AS IBC_MB, sum(eval(round(if(Category="Non-IBC",src_bytes,0)/1024/1024,2))) AS Non_IBC_MB by base | eval Ratio=IBC_MB/Non_IBC_MB</P> Mon, 28 Sep 2020 14:44:31 GMT https://community.splunk.com/t5/Splunk-Search/Ratio-using-src-bytes-instead-of-count-for-two-fields/m-p/54721#M179761 srioux 2020-09-28T14:44:31Z