All Apps and Add-ons

How to divide the results of two searches to get an average?

Explorer

I have two searches that return respectively the number total sessions and the number of device crashes. How can I divide sessions by device crashes to get an average?

0 Karma
1 Solution

Legend

Try this

platform=Android sourcetype="mint:Ping" | stats count as total_sessions | appendcols [ search platform=Android sourcetype="mint:error" | stats count as total_crashes ] | eval Average=Total_sessions/Total_crashes

View solution in original post

Legend

Try this

platform=Android sourcetype="mint:Ping" | stats count as total_sessions | appendcols [ search platform=Android sourcetype="mint:error" | stats count as total_crashes ] | eval Average=Total_sessions/Total_crashes

View solution in original post

Explorer

2 searches, one division... check.
I created an example doing the math: (ignore the fields I chose, replace with your own)

index=os sourcetype=cpu CPU=ALL | stats avg(pctCPUutil) as CPU_pct | appendcols [search index=os sourcetype=who | stats dc(USERNAME) as NUM_user | fields NUM_user] | eval CPU_per_user=CPU_pct/NUM_user | table CPU_pct NUM_user CPU_per_user

Edit: I tried submitting this yesterday, but Splunk's website refused to post it. It submitted today when I was cleaning up.

Explorer

Thanks for the response, I ended up with a table correctly displaying totalsessions, totalcrashes, and Averagecrashes. Is it possible to dive deeper into this averagecrashes number and divide this number up based on device? I tried the chart command but I wasn't sure how to pull in the 'Average' that I calculated.

0 Karma

SplunkTrust
SplunkTrust

Try like this

your search1 giving field Total_Sessions | appendcols [search search2 giving field Total_Crashes ] | eval Average=Total_Sessions/Total_Crashes

Explorer

My query looks like this with your advice:

platform =Android sourcetype = "mint:Ping" giving field totalsessions | appendcols [search platform=Android sourcetype="mint:error" giving field totalcrashes] | eval Average=Totalsessions/Totalcrashes

However it is telling me that "you can only use appendcols after a reporting command such as stats, chart, or timechart"

Thanks somesoni2!

0 Karma

SplunkTrust
SplunkTrust

My answer was sudo code assuming that you already have full query written to get you totalsessions and totalcrashes from those two searches. I believe @sundareshr's answer show do the trick for you.

0 Karma