Eval count in two searches

macadminrohit · ‎02-19-2018

Hi,

I have a search that lists top 50 events based on the following search :

index=servers sourcetype=json appName="" AND appName!="*Server" AND appName!="Service") locId=* level=Warning OR level=Error OR level=Critical) bdy.msg="Scanner*"
top 50 appName level msg bdy.ex.Msg | addcoltotals | fields - percent

This give me top 50 events with their count. I have another search with slight change :

index=servers sourcetype=json appName="" AND appName!="*Server" AND appName!="Service") locId=* level=Information bdy.msg="Scanner*"
top 50 appName level msg bdy.ex.Msg | addcoltotals | fields - percent

only thing changing is Level . Now i have to calculate the ratio of both the counts from two searches. how can i do that. any help is highly appreciated.

Thanks
Rohit

somesoni2 · ‎02-19-2018

Give this a try

index=servers sourcetype=json (appName="*"  AND appName!="*Server*" AND appName!="*Service*") locId=* (level=Warning OR level=Error OR level=Critical OR level=Information)   bdy.msg="Scanner*"
| eval level=if(level="Information",level,"NonInformation")
|  top 50 appName msg bdy.ex.Msg by level showperc=f 
| eval Info=if(level="Information",count,null())
| eval NonInfo=if(level!="Information",count,null())
| stats values(Info) as Info values(NonInfo) as NonInfo by appName msg bdy.ex.Msg
| addcoltotals 
| eval Ratio=Info/NonInfo

Eval count in two searches

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life