Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Assigning a row value for arthimetic calculation

Gowtham0809
New Member
‎11-12-2019 10:18 AM

I have a table output like
Date Title Product Count
10 November 2019 PA Number of A 371

10 November 2019 PA Number of B 129

10 November 2019 PA Number of C 195

10 November 2019 PA Number of D 110

10 November 2019 PA Total 455

10 November 2019 PA Number of E 1

10 November 2019 PA Number of F 0

10 November 2019 PA Number of G 0

10 November 2019 PA Number of H 0

10 November 2019 PA) Number of I 129

Here i have to perform the ratio calculation part with respect to total value, for remaining field values in count field. I do not want to print the calculation as | eval ratio=(Count/455)*100. I want to pass this value of total as some static field, as my total values keeps changing dynamically.

Is there a possible was

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2019 12:00 PM

This may help.

index=foo | eval Total=0, Sum=0 
| eval Total=if(Product="Total", Total+Count, Total), Sum=If(Product!="Total", Sum+Count, Sum)
| eval ratio=(Sum*100)/Total
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Gowtham0809
New Member
‎11-12-2019 09:51 PM

Hello Richgalloway

Thanks for your input, using this i am able to get Total column as 0 for all the rows and value 455 only for Total rows, and sum column as same values as of count except Total row as 0.

if I get the value or total 455 as a value for a new field for all the rows, then I cam perform the ratio part easily. Is is possible?

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2019 03:47 AM

Please disregard this answer as it won't work. I don't know what I was thinking when I wrote it. Sorry.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Gowtham0809
New Member
‎11-15-2019 03:00 AM

if there any way to get solution on my condition

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...