Solved: Calculate Average in same field

nivethainspire_ · ‎11-26-2020

I like to take sum the "count" where "Core Content" field's first 2 max values, Finally divide them by total count.

For Example,

In this table, I want the below calculation to be implemented using Eval.

(2223+1794) / 4768, where 2223 - 1st max value of core content, 1794 - 2nd max value of core content , 4768 - total count.

How to calculate this using eval.

gcusello · ‎11-26-2020

let me understand: do you want to display values and percentage of the first two values?

if yes, try something like this:

your_search
| stats count AS Count BY "Core Content"
| sort -Count 
| head 2 
| eventstats sum(Count) AS total 
| eval perc=round(Count/total*100,2)

Ciao.

Giuseppe

ITWhisperer · ‎11-27-2020

your_search
| stats count AS Count BY "Core Content"
| eventstats sum(Count) AS total 
| eval Count=Count/total
| sort - Count 
| head 2

gcusello · ‎11-26-2020

let me understand: do you want to display values and percentage of the first two values?

if yes, try something like this:

your_search
| stats count AS Count BY "Core Content"
| sort -Count 
| head 2 
| eventstats sum(Count) AS total 
| eval perc=round(Count/total*100,2)

Ciao.

Giuseppe

gcusello · ‎11-27-2020

good for you!

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated by all the contributors 😉

nivethainspire_ · ‎11-27-2020

Thanks!. It works. Same way, I have to leave the first 2 max values and do the same for others. What should I do.

gcusello · ‎11-27-2020

if instead you want two values but the percentage respect all the values, you could use the top command:

your_search
| top 2 "Core Content"

Ciao.

Giuseppe

nivethainspire_ · ‎11-27-2020

I want to leave the top 2 and sum up others

Calculate Average in same field