Splunk Search

Calculate percentage from 2 tstats searches

ftonen
Explorer

EDIT: The below search suddenly did work, so my issue is solved!

So I have two searches in a dashobard, but resulting in a number:

| tstats count AS "Count" from datamodel=my_first-datamodel (nodename = node.name.1) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count"

| tstats count AS "Count2" from datamodel=my_second_datamodel where (nodename = node.name.2) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count2"

Now I want to calculate with those results. I want to find out what percentage the first search is of the second. I have found other threads but they didn't work, the best I could come up with was this:
| tstats count AS "Count" from datamodel=my_first-datamodel (nodename = node.name.1) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count"
| appendcols
[| tstats count AS "Count2" from datamodel=my_second_datamodel (nodename = node.name.2) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count2"
]
| eval Perc=round((Count/Count2)*100,2)

Does anyone know? Thanks in advance!

0 Karma
1 Solution

ftonen
Explorer

I tried this one again and suddenly it did work. Apologies!

| tstats count AS "Count" from datamodel=my_first-datamodel (nodename = node.name.1) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count"
| appendcols
[| tstats count AS "Count2" from datamodel=my_second_datamodel (nodename = node.name.2) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count2"
]
| eval Perc=round((Count/Count2)*100,2)

View solution in original post

0 Karma

ftonen
Explorer

I tried this one again and suddenly it did work. Apologies!

| tstats count AS "Count" from datamodel=my_first-datamodel (nodename = node.name.1) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count"
| appendcols
[| tstats count AS "Count2" from datamodel=my_second_datamodel (nodename = node.name.2) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count2"
]
| eval Perc=round((Count/Count2)*100,2)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@flonen If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

to4kawa
Ultra Champion
| tstats count AS "Count" from datamodel=my_first-datamodel (nodename = node.name.1) summariesonly=t prestats=true 
| stats dedup_splitvals=t count AS "Count" 
| append 
    [| tstats count AS "Count2" from datamodel=my_second_datamodel (nodename = node.name.2) summariesonly=t prestats=true 
    | stats dedup_splitvals=t count AS "Count2" ] 
| eval Perc="T" 
| stats sum(Count) as Count sum(Count2) as Count2 by Perc 
| eval Perc=round((Count/Count2)*100,2)

Hi, folks. How about append

0 Karma

gfreitas
Builder

Depending what you want to display on your dashboard you might be looking for subsearches (as you're doing above) or post process searches/base searches. If you want to display let's say value 1 and value2 and then the percentage, all on separate panels, there are some ideas here: https://answers.splunk.com/answers/239159/multiple-base-searches-in-a-dasboard-with-post-pro.html and https://answers.splunk.com/answers/461853/how-to-use-multiple-base-searches-in-one-search.html.
Also, more information about post-process searches can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/Savedsearches#Post-process_searches_2

0 Karma

ftonen
Explorer

Thanks for your reponse!

I already have two panels with information, those are the 2 searches I mentioned in the beginning. I'm stuck at the point where I calculate with them, even tried making searches a variable. The links you provided did not discus the calculating part.

0 Karma

gfreitas
Builder

Ohh sorry, so not following exactly why it doesn't work. What results do you get?
Maybe you just want to display the Perc field, append this to the end of your search:
|fields Perc

0 Karma

ftonen
Explorer

I previously had an error saying something along the lines of that you can't use real-time searching with tstats input. Now I retried the same search and suddenly it did work. Strange, but I'm happy!

Thanks for your help!

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...