Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Calculate percentage from a join query

justjosh
Explorer
‎10-30-2012 05:15 AM

I need to calculate the percentage of products that I have searched for that exist in a specific product catalog.

I have written an inner join, which gets all the product_ids from the search and does as inner join into the product catalog:

sourcetype=products | fields product_id |join product_id [search sourcetype=catalogue |fields product_id ] | stats count

I added stats count which gives the number of products from the search in the catalog.

How can I modify the query so it returns the count as a percentage of total products that were returned from the initial search?

Tags (2)
0 Karma
Reply

justgrumpy
Path Finder
‎11-01-2012 07:37 AM

I'm not sure if there is some built-in function or command to get what you want, but I believe the following query will get you close:

sourcetype=products
 | stats dc(product_id) as count by product_id
 | eventstats dc(product_id) as totalCount
 | join product_id [search sourcetype=catalogue]
 | stats count as lookupCount values(totalCount) as totalCount
 | eval percTotal=lookupCount/totalCount
  1. The first stats line gets you a distinct list of product ids that will be needed later for the join.
  2. The eventstats line adds a count of the number of products found to each result from the previous stats. This is needed later for the calculation of percentage of total products.
  3. The join is basically the same except I removed the fields.
  4. The next stats line gets a count of the items found from the join as well as carrying over the totalCount from the previous results.
  5. The eval gets your percentage of total products that were returned from the initial search.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...