https://community.splunk.com/t5/Splunk-Search/Find-the-percentage-between-two-fields-from-two-sourcetypes/m-p/115614#M183869 <P>what about starting with something like that, then calculate the ratio. <BR /> <CODE>sourcetype=submitters OR sourcetype=recipient_group | chart dc(UserID) by UserID sourcetype | eval in_both=if(submitters==1 AND recipient_group==1,1,0)</CODE></P> <P>Then do the total and clean, then eval a percentage<BR /> <CODE>... | addcoltotals | WHERE isnull(UserID) | table submitters recipient_group in_both</CODE></P> Fri, 25 Oct 2013 17:20:14 GMT yannK 2013-10-25T17:20:14Z https://community.splunk.com/t5/Splunk-Search/Find-the-percentage-between-two-fields-from-two-sourcetypes/m-p/115613#M183868 <P>I have two sourcetypes - <STRONG>submitters</STRONG>, and <STRONG>recipient_group</STRONG>. I am looking to find the percentage of submitters that are in the recipient_group. If I have 500 submitters and 1000 recipients, my percentage would be 50%. The following search gives me the dc of users in each sourcetype, but I don't have the Splunk knowledge on how to retain those values so I can perform the math. </P> <PRE><CODE>sourcetype = submitters OR sourcetype=recipient_group | eval UserID{sourcetype}=UserID | stats dc(UserIDR*), dc(UserIDS*) </CODE></PRE> <P>Thanks everyone! Mike</P> Fri, 25 Oct 2013 16:47:07 GMT https://community.splunk.com/t5/Splunk-Search/Find-the-percentage-between-two-fields-from-two-sourcetypes/m-p/115613#M183868 lehrfeld 2013-10-25T16:47:07Z https://community.splunk.com/t5/Splunk-Search/Find-the-percentage-between-two-fields-from-two-sourcetypes/m-p/115614#M183869 <P>what about starting with something like that, then calculate the ratio. <BR /> <CODE>sourcetype=submitters OR sourcetype=recipient_group | chart dc(UserID) by UserID sourcetype | eval in_both=if(submitters==1 AND recipient_group==1,1,0)</CODE></P> <P>Then do the total and clean, then eval a percentage<BR /> <CODE>... | addcoltotals | WHERE isnull(UserID) | table submitters recipient_group in_both</CODE></P> Fri, 25 Oct 2013 17:20:14 GMT https://community.splunk.com/t5/Splunk-Search/Find-the-percentage-between-two-fields-from-two-sourcetypes/m-p/115614#M183869 yannK 2013-10-25T17:20:14Z https://community.splunk.com/t5/Splunk-Search/Find-the-percentage-between-two-fields-from-two-sourcetypes/m-p/115615#M183870 <P>yannK - Thanks for the response. To keep it simple, both of our sourcetypes only have one type of data in it. So a simple dc(userID) will give use the count needed to calculate the ratio. I just can't find a way to capture those values to do a calculation on them. I will keep tweaking the code and post back soon (hopefully). Mike</P> Fri, 25 Oct 2013 17:55:42 GMT https://community.splunk.com/t5/Splunk-Search/Find-the-percentage-between-two-fields-from-two-sourcetypes/m-p/115615#M183870 lehrfeld 2013-10-25T17:55:42Z https://community.splunk.com/t5/Splunk-Search/Find-the-percentage-between-two-fields-from-two-sourcetypes/m-p/115616#M183871 <P>Figured it out. My issue was using the wildcard '*' in the dc command. When I used the entire name - poof!</P> <BLOCKQUOTE> <P>sourcetype = submitters OR<BR /> sourcetype=recipient_group | eval<BR /> UserID{sourcetype}=UserID |stats<BR /> dc(eval(UserIDRecipient_Group)) as<BR /> USERR, dc(eval(UserIDSubmitters)) as<BR /> USERS | eval<BR /> percentage=(USERS/USERR*100)</P> </BLOCKQUOTE> Mon, 28 Sep 2020 15:05:33 GMT https://community.splunk.com/t5/Splunk-Search/Find-the-percentage-between-two-fields-from-two-sourcetypes/m-p/115616#M183871 lehrfeld 2020-09-28T15:05:33Z