Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculate percentage from a join query

justjosh
Explorer
‎10-30-2012 05:15 AM

I need to calculate the percentage of products that I have searched for that exist in a specific product catalog.

I have written an inner join, which gets all the product_ids from the search and does as inner join into the product catalog:

sourcetype=products | fields product_id |join product_id [search sourcetype=catalogue |fields product_id ] | stats count

I added stats count which gives the number of products from the search in the catalog.

How can I modify the query so it returns the count as a percentage of total products that were returned from the initial search?

Tags (2)
0 Karma
Reply

justgrumpy
Path Finder
‎11-01-2012 07:37 AM

I'm not sure if there is some built-in function or command to get what you want, but I believe the following query will get you close:

sourcetype=products
 | stats dc(product_id) as count by product_id
 | eventstats dc(product_id) as totalCount
 | join product_id [search sourcetype=catalogue]
 | stats count as lookupCount values(totalCount) as totalCount
 | eval percTotal=lookupCount/totalCount
  1. The first stats line gets you a distinct list of product ids that will be needed later for the join.
  2. The eventstats line adds a count of the number of products found to each result from the previous stats. This is needed later for the calculation of percentage of total products.
  3. The join is basically the same except I removed the fields.
  4. The next stats line gets a count of the items found from the join as well as carrying over the totalCount from the previous results.
  5. The eval gets your percentage of total products that were returned from the initial search.
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...