I have two searches that return respectively the number total sessions and the number of device crashes. How can I divide sessions by device crashes to get an average?
Try this
platform=Android sourcetype="mint:Ping" | stats count as total_sessions | appendcols [ search platform=Android sourcetype="mint:error" | stats count as total_crashes ] | eval Average=Total_sessions/Total_crashes
Try this
platform=Android sourcetype="mint:Ping" | stats count as total_sessions | appendcols [ search platform=Android sourcetype="mint:error" | stats count as total_crashes ] | eval Average=Total_sessions/Total_crashes
2 searches, one division... check.
I created an example doing the math: (ignore the fields I chose, replace with your own)
index=os sourcetype=cpu CPU=ALL | stats avg(pctCPUutil) as CPU_pct | appendcols [search index=os sourcetype=who | stats dc(USERNAME) as NUM_user | fields NUM_user] | eval CPU_per_user=CPU_pct/NUM_user | table CPU_pct NUM_user CPU_per_user
Edit: I tried submitting this yesterday, but Splunk's website refused to post it. It submitted today when I was cleaning up.
Thanks for the response, I ended up with a table correctly displaying total_sessions, total_crashes, and Average_crashes. Is it possible to dive deeper into this average_crashes number and divide this number up based on device? I tried the chart command but I wasn't sure how to pull in the 'Average' that I calculated.
Try like this
your search1 giving field Total_Sessions | appendcols [search search2 giving field Total_Crashes ] | eval Average=Total_Sessions/Total_Crashes
My query looks like this with your advice:
platform =Android sourcetype = "mint:Ping" giving field total_sessions | appendcols [search platform=Android sourcetype="mint:error" giving field total_crashes] | eval Average=Total_sessions/Total_crashes
However it is telling me that "you can only use appendcols after a reporting command such as stats, chart, or timechart"
Thanks somesoni2!
My answer was sudo code assuming that you already have full query written to get you total_sessions and total_crashes from those two searches. I believe @sundareshr's answer show do the trick for you.