Splunk Search

Calculating a ratio of distinct counts in a timechart

Engager

I have series of events with user ids in them. I would like to calculate the ratio of distinct user ids for events that have a type of X vs. the distinct user ids for events that have a type of Y, in a timechart over time grouped by a different field.

What would be the right way to do this?

0 Karma

Builder

Would something like this give you results close to what you're after?

index=main "blabla" | eval typeX=IF(userType="X",1,0) | eval typeY=IF(userType="Y",1,0) | timechart sum(typeX), sum(typeY) by state

0 Karma

SplunkTrust
SplunkTrust

Something like this?

index=blaw sourcetype=blaw type=X OR type=Y | bucket span=SpanOfYourChoice _time | stats count by _time, type, userId | timechart span=SpanOfYourChoice dc(eval(type="X")) as Xcount dc(eval(type="Y")) as Ycount | eval XYratio=Xcount/Ycount | table _time, XYratio
0 Karma