Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate percentage from 2 tstats searches

ftonen
Explorer
‎01-06-2020 07:23 AM

EDIT: The below search suddenly did work, so my issue is solved!

So I have two searches in a dashobard, but resulting in a number:

| tstats count AS "Count" from datamodel=my_first-datamodel (nodename = node.name.1) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count"

| tstats count AS "Count2" from datamodel=my_second_datamodel where (nodename = node.name.2) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count2"

Now I want to calculate with those results. I want to find out what percentage the first search is of the second. I have found other threads but they didn't work, the best I could come up with was this:
| tstats count AS "Count" from datamodel=my_first-datamodel (nodename = node.name.1) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count"
| appendcols
[| tstats count AS "Count2" from datamodel=my_second_datamodel (nodename = node.name.2) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count2"
]
| eval Perc=round((Count/Count2)*100,2)

Does anyone know? Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ftonen
Explorer
‎01-07-2020 11:58 PM

I tried this one again and suddenly it did work. Apologies!

| tstats count AS "Count" from datamodel=my_first-datamodel (nodename = node.name.1) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count"
| appendcols
[| tstats count AS "Count2" from datamodel=my_second_datamodel (nodename = node.name.2) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count2"
]
| eval Perc=round((Count/Count2)*100,2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ftonen
Explorer
‎01-07-2020 11:58 PM

I tried this one again and suddenly it did work. Apologies!

| tstats count AS "Count" from datamodel=my_first-datamodel (nodename = node.name.1) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count"
| appendcols
[| tstats count AS "Count2" from datamodel=my_second_datamodel (nodename = node.name.2) summariesonly=t prestats=true | stats dedup_splitvals=t count AS "Count2"
]
| eval Perc=round((Count/Count2)*100,2)

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-08-2020 03:49 AM

@flonen If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-07-2020 05:01 AM 
| tstats count AS "Count" from datamodel=my_first-datamodel (nodename = node.name.1) summariesonly=t prestats=true 
| stats dedup_splitvals=t count AS "Count" 
| append 
    [| tstats count AS "Count2" from datamodel=my_second_datamodel (nodename = node.name.2) summariesonly=t prestats=true 
    | stats dedup_splitvals=t count AS "Count2" ] 
| eval Perc="T" 
| stats sum(Count) as Count sum(Count2) as Count2 by Perc 
| eval Perc=round((Count/Count2)*100,2)

Hi, folks. How about append

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎01-06-2020 08:47 AM

Depending what you want to display on your dashboard you might be looking for subsearches (as you're doing above) or post process searches/base searches. If you want to display let's say value 1 and value2 and then the percentage, all on separate panels, there are some ideas here: https://answers.splunk.com/answers/239159/multiple-base-searches-in-a-dasboard-with-post-pro.html and https://answers.splunk.com/answers/461853/how-to-use-multiple-base-searches-in-one-search.html.
Also, more information about post-process searches can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/Savedsearches#Post-process_searches_2

0 Karma
Reply
Solved! Jump to solution

ftonen
Explorer
‎01-07-2020 12:37 AM

Thanks for your reponse!

I already have two panels with information, those are the 2 searches I mentioned in the beginning. I'm stuck at the point where I calculate with them, even tried making searches a variable. The links you provided did not discus the calculating part.

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎01-07-2020 03:12 AM

Ohh sorry, so not following exactly why it doesn't work. What results do you get?
Maybe you just want to display the Perc field, append this to the end of your search:
|fields Perc

0 Karma
Reply
Solved! Jump to solution

ftonen
Explorer
‎01-07-2020 06:07 AM

I previously had an error saying something along the lines of that you can't use real-time searching with tstats input. Now I retried the same search and suddenly it did work. Strange, but I'm happy!

Thanks for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...