Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Divide a Result By Two

henryt1
Path Finder
‎06-20-2012 09:26 AM

The following search I'm running is giving me duplicate results for each event:

(host="zakta-test.inno-360.com") AND (demo-landscaping-test.inno-360.com) AND ("POST /search2sectionhandler.php" OR "POST /search2keephandler.php") | stats count by referer_domain

For instance if there were five events I'm interested in within the past hour it will return 10. However if I try to use "dedup" it just gives me a count of 1 since they're all similar events.

How would I divide the results by 2 within Splunk? To make it a little obvious just doing 10/2=5.

Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎06-20-2012 09:52 AM

Instead of deduping based on host (not sure if that's what you are doing) maybe you could create another field for the URI's and dedup by those? Or maybe it's referer_domain that would work. Anyways hard to tell without seeing your raw events.

If you want to manipulate your count just use the eval command but hopefully you can find a way to use dedup. 

... | eval newCount = count/2

View solution in original post

Reply
Solved! Jump to solution

cheganbm
Explorer
‎02-27-2014 07:55 AM

using the fieldformat operator should do what you need.

...|fieldformat count=count/2
Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎06-20-2012 09:52 AM

Instead of deduping based on host (not sure if that's what you are doing) maybe you could create another field for the URI's and dedup by those? Or maybe it's referer_domain that would work. Anyways hard to tell without seeing your raw events.

If you want to manipulate your count just use the eval command but hopefully you can find a way to use dedup. 

... | eval newCount = count/2
Reply
Solved! Jump to solution

henryt1
Path Finder
‎06-25-2012 11:39 AM

This is great, thank you!

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎06-20-2012 10:52 AM

You could do
... | fields - count or pipe it to table and specify the columns you want ... | table myCount referer_domain. I think both of those will get rid of count for you.

0 Karma
Reply
Solved! Jump to solution

henryt1
Path Finder
‎06-20-2012 10:38 AM

Thank you! This worked but it created a new column. Would there be a way to hide the original column (since I'm creating a chart from this and only need the new column)? Or would it be possible to divide this without creating a new column?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...